/caddy-compose-crowdsec

example of using docker compose to provision caddy with crowdsec, based on the chainguard image

Primary LanguageMakefileOtherNOASSERTION

Caddy

Caddy Website | Caddy Documentation

Canonical source: https://git.sr.ht/~xyhhx/caddy-compose-crowdsec

Github Mirror | Codeberg Mirror

It's pretty well known that security through obscurity is useless and that bots/script kiddies parse new TLS certificates to scour for juicy links; but you might not be aware of just how actively they do that.

To mitigate this, it might be a good idea to use Crowdsec to block known bad IPs. A custom module for Caddy exists, so we can use this to do it pretty trivially from Caddy itself.

Prerequesites

This repo is designed to be used in a Linux working environment with the following dependencies installed:

Usage

Administration

First, generate a crowdsec API key:

make crowdsec-key

Then run the following commands to start the Compose project

make up

You can spin down the project like so:

make down

You can destroy the project with the following command:

Important This will remove the Docker network and wipe ./data/caddy

make clean

Examples

Adding a simple web app

Let's say your app is called myapp and you want to expose it via this Caddy project.

Let's also assume myapp exposes port 8000 for its web interface.

Configuring your app

Other projects should have the following in their Compose files:

networks:
  webproxy:
    external: true

And, for any services you want to handle with caddy, you should name them and add the webproxy network to them.

services:
  myapp:
    container_name: myapp
    networks:
      - webproxy

Configuring Caddy

You will also need to make changes to the Caddyfile:

myapp.com {
  route {
    crowdsec
    reverse_proxy myapp:8000
  }
  log {
    output file /var/log/caddy/access.log
  }
}

Finally, you can run the following to restart Caddy:

make down up
# Or...
docker compose up -d --force-recreate

Further Reading