Guides

Caddy Server

Caddy is a reverse proxy and lightweight webserver that automatically acquires and uses https certificates. Caddy is used here to host a list of links, the Love Letter counter, and reverse proxy many internal sites.

Setup

Set up DNS with Cloudflare using This Guide
For each domain used:
- Navigate to each domain > DNS:
  - Add wildcard CNAME record:
    - Add record
    - Type > CNAME
    - Name > '*'
    - Target > <domain name>
    - Proxy status > DNS only
    - Save
  - Add a 'SRV' record for any minecraft servers to allow accessing them using subdomains instead of port numbers
    - If not using a wildcard CNAME record, add a CNAME record for the desired subdomain as above
    - Add record
    - Type > SRV
    - Name > '_minecraft._tcp'
    - Priority & Weight > 0
    - Port > <port configured in minecraft server>
    - Target > <full sub.domain name desired>
    - Save

Install a base installation of Photon OS with the following changes:

Hostname: Caddy
CPU: 1
Memory: 2GB

Setup minimal installed profile of PhotonOS

Download the latest Photon OS OVA with virtual hardware v15 from https://github.com/vmware/photon/wiki/Downloading-Photon-OS
In ESXi:
- Create/Register VM:
  - Deploy a virtual machine from an OVF or OVA file
  - Name the VM
  - Upload the Photon OS OVA file
  - Specify the desired Target Datastore
  - Accept the License Agreement
  - Deselect Power on automatically
  - Confirm settings and Finish
- Wait for the files to upload
- If autostart is desired for this machine go to Host > Manage > System > Autostart:
  - Click on the current VM
  - Enable
  - Use Start earlier and Start later to set the desired order
- Go to Virtual Machines on the sidebar and click on the current VM
- Actions > Edit Settings:
  - Set the required CPU and Memory requirements
  - If using NVMe storage for the datastore:
    - Add other device > NVMe controller
    - Hard Disk 1 > Controller location > NVMe controller 0
    - Save and reopen Edit Settings
    - Remove SCSI controller 0
  - Select other appropriate VM settings depending on desired applications
- Power on the VM, then shut it down again to generate a MAC address
- Give the VM a static IP address from your router using the generated MAC address (found under Hardware Configuration > Network adapter 1) and desired hostname
- Power on the VM
- Using an SSH client, connect to the hostname set above, then run:

# Login with root details from the VM note
# Follow instructions to set new password
 
# Remove docker related packages if not needed to save space and faster updates
tdnf erase containerd docker docker-cli docker-engine
 
# Update packages:
tdnf upgrade
tdnf clean all
 
# Disable password expiry:
chage -M -1 root
 
# Set new hostname:
hostnamectl set-hostname <hostname-as-set-in-router>
 
# Set the timezone to Perth
ln -sf /usr/share/zoneinfo/Australia/Perth /etc/localtime
 
# Change the SSH port to 50001:
sed -i "s/#Port 22/Port 50001/" /etc/ssh/sshd_config
sed -i "s/-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT/-A INPUT -p tcp -m tcp --dport 50001 -m state --state NEW -j ACCEPT/" /etc/systemd/scripts/ip4save
 
exit

Shut down the VM
Edit VM note to be the following:

Minimal installed profile of PhotonOS
User: root

Ports:
50001/tcp SSH

Save a snapshot called Base Install

2020/05/18 18:24 · derek

Install Caddy Server:

Add a port forwarding rule in your router for tcp, port: http,https to the IP of this VM
Using an SSH client, connect to <hostname>:50001 then run:

# Allow http/https through iptables
sed -i "s/COMMIT/-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT\nCOMMIT/" /etc/systemd/scripts/ip4save
reboot  # And then reconnect the SSH client
 
# Add the caddy group and user
groupadd --system caddy
useradd --system \
    --gid caddy \
    --create-home \
    --home-dir /var/lib/caddy \
    --shell /usr/sbin/nologin \
    --comment "Caddy web server" \
    caddy
 
cd /usr/bin
 
# Download Caddy
curl -L -o "caddy" "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fgreenpau%2Fcaddy-security&p=github.com%2Fcaddyserver%2Fntlm-transport&idempotency=99104049722873"
chmod 755 caddy
 
# Config file and html pages
curl -L -o "fetch" "https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64"
chmod u+x fetch
 
# Generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
# Enter the key when this command asks
read -rp "Enter github api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
# Reload the shell so it exports the tokens in this session
exec $SHELL
 
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
chmod -R a=r,u+w,a+X /etc/caddy
 
# Setup caddy startup service
curl -L -o /etc/systemd/system/caddy.service "https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service"
systemctl daemon-reload
 
# Get a DNS API token from https://dash.cloudflare.com/profile/api-tokens:
#   Edit zone DNS > Use template:
#     Zone.Zone:Read permission
#     Access to all zones
#   Save/keep open the API token
#   Edit zone DNS > Use template:
#     Zone.DNS:Edit permission
#     Restriction of the domain you're managing with Caddy
#   Save/keep open the API token
 
# Set up Google OAuth 2.0:
#   Go to: [[https://console.cloud.google.com/projectcreate]]
#   Follow the guide on [[https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0002-google]]
#   Save/keep open the Client ID/Secret
 
systemctl edit caddy
# Paste in the following lines with their respective keys filled in:
[Service]
Environment="CF_ZONE_TOKEN="
Environment="CF_API_TOKEN="
Environment="GOOGLE_CLIENT_ID="
Environment="GOOGLE_CLIENT_SECRET="
# Then save and exit the file with: ESC, :wq
 
# Enable and run the Caddy service
systemctl enable --now caddy

Edit the VM note and append the following:

80,443/tcp Http,Https Caddy

Save a snapshot called Configured

Notes

# View the Caddy log (add -n <num> to see the latest <num> entries, or -f to actively follow the log)
journalctl -u caddy
 
# Use updated config file
systemctl reload caddy

Edit the Caddyfile at https://github.com/Archer4499/Configs/blob/master/Server/Caddy/Caddyfile to add or modify services then follow the command in Update to update the file in the VM.

Services that require setting Trusted Proxies:

@No_Backup

Update

If desired, Log in to ESXi, navigate to the photon based VM and create new temporary snapshot
Using an SSH client, connect to <hostname>:50001 then run:

tdnf upgrade
tdnf clean all
reboot  # If desired/needed

2020/05/18 18:24 · derek

Check for updates and changelogs from: https://github.com/caddyserver/caddy/releases/latest

# Check the current running version
caddy version
 
# Update Caddy
caddy update
chmod 755 /usr/bin/caddy
systemctl reload caddy
 
# Once a year generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
# Enter the key when this command asks
read -rp "Enter api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
# Reload the shell so it exports the tokens in this session
exec $SHELL
 
# Update just the Caddy config
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy/Caddyfile" /etc/caddy/Caddyfile
 
# Update Config and HTML
# Remove old folder if any files have been deleted/moved/renamed
rm -r /etc/caddy
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
chmod -R a=r,u+w,a+X /etc/caddy
 
# Test updated Caddyfile
caddy validate --config /etc/caddy/Caddyfile
 
# Use updated config file
systemctl reload caddy

Sources

https://caddyserver.com/docs

Guides

User Tools

Site Tools

Table of Contents