Differences

This shows you the differences between two versions of the page.

--- esxi:caddy_server [2020/07/03 15:36]
derek created
+++ esxi:caddy_server [2024/09/22 19:51] (current)
@@ Line 1: / Line 1: @@
 =====Caddy Server=====
-FIXME: Explain the page/service.
+Caddy is a reverse proxy and lightweight webserver that automatically acquires and uses https certificates.
+Caddy is used here to host a list of links, the Love Letter counter, and reverse proxy many internal sites.
 ====Setup====
-First, install a base installation of Photon OS with the following changes:
+  * Set up DNS with Cloudflare using [[web:cloudflare|This Guide]]
+  * For each domain used:
+    * Navigate to each domain > ''DNS'':
+      * Add wildcard CNAME record:
+        * ''Add record''
+        * ''Type'' > ''CNAME''
+        * ''Name'' > '*'
+        * ''Target'' > <domain name>
+        * ''Proxy status'' > ''DNS only''
+        * ''Save''
+      * Add a 'SRV' record for any minecraft servers to allow accessing them using subdomains instead of port numbers
+        * If not using a wildcard CNAME record, add a CNAME record for the desired subdomain as above
+        * ''Add record''
+        * ''Type'' > ''SRV''
+        * ''Name'' > '_minecraft._tcp'
+        * ''Priority'' & ''Weight'' > 0
+        * ''Port'' > <port configured in minecraft server>
+        * ''Target'' > <full sub.domain name desired>
+        * ''Save''
+Install a base installation of Photon OS with the following changes:
   * Hostname: ''Caddy''
   * CPU: 1
@@ Line 11: / Line 32: @@
 ===Install Caddy Server:===
-  * Add a port forwarding rule in your router for tcp, port ''http,https'' to the IP of the VM
+  * Add a port forwarding rule in your router for tcp, port: ''http,https'' to the IP of this VM
   * Using an SSH client, connect to <hostname>:50001 then run:
 <code bash>
-# FIXME: Allow http/https through iptables?
+# Allow http/https through iptables
-printf "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" >> /etc/systemd/scripts/ip4save
+sed -i "s/COMMIT/-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT\nCOMMIT/" /etc/systemd/scripts/ip4save
-printf "-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" >> /etc/systemd/scripts/ip4save
+reboot  # And then reconnect the SSH client
-# Download Caddy
+# Add the caddy group and user
-tdnf install tar
-mkdir /tmp/caddy
-cd /tmp/caddy
-# Copy the link for the "caddy_2.x.x_linux_amd64.tar.gz" file from https://github.com/caddyserver/caddy/releases/latest
-curl -OL "<DownloadLink>"
-tar -xzf <DownloadedFile>
-mv caddy /usr/bin/
-cd /
-rm -r /tmp/caddy
-# Add caddy group/user
 groupadd --system caddy
 useradd --system \
@@ Line 40: / Line 50: @@
     caddy
-# Setup startup
+cd /usr/bin
-cd /etc/systemd/system/
-curl -OL "https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service"
-systemctl daemon-reload
-systemctl enable caddy
-# Config file
+# Download Caddy
-mkdir /etc/caddy
+curl -L -o "caddy" "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fgreenpau%2Fcaddy-security&p=github.com%2Fcaddyserver%2Fntlm-transport&idempotency=99104049722873"
-chmod 755 /etc/caddy
+chmod 755 caddy
-cd /etc/caddy
-# FIXME: Download Caddyfile
-chmod 644 Caddyfile
-systemctl start caddy
+# Config file and html pages
+curl -L -o "fetch" "https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64"
+chmod u+x fetch
+# Generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
+# Enter the key when this command asks
+read -rp "Enter github api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
+# Reload the shell so it exports the tokens in this session
+exec $SHELL
-# View the Caddy log
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
-journalctl -u caddy
+chmod -R a=r,u+w,a+X /etc/caddy
-# Use updated config file
+# Setup caddy startup service
-systemctl reload caddy
+curl -L -o /etc/systemd/system/caddy.service "https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service"
+systemctl daemon-reload
+# Get a DNS API token from https://dash.cloudflare.com/profile/api-tokens:
+#   Edit zone DNS > Use template:
+#     Zone.Zone:Read permission
+#     Access to all zones
+#   Save/keep open the API token
+#   Edit zone DNS > Use template:
+#     Zone.DNS:Edit permission
+#     Restriction of the domain you're managing with Caddy
+#   Save/keep open the API token
+# Set up Google OAuth 2.0:
+#   Go to: [[https://console.cloud.google.com/projectcreate]]
+#   Follow the guide on [[https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0002-google]]
+#   Save/keep open the Client ID/Secret
+systemctl edit caddy
+# Paste in the following lines with their respective keys filled in:
+[Service]
+Environment="CF_ZONE_TOKEN="
+Environment="CF_API_TOKEN="
+Environment="GOOGLE_CLIENT_ID="
+Environment="GOOGLE_CLIENT_SECRET="
+# Then save and exit the file with: ESC, :wq
+# Enable and run the Caddy service
+systemctl enable --now caddy
 </code>
   * Edit the VM note and append the following:
 <code>
+,443/tcp Http,Https Caddy
 </code>
   * Save a snapshot called ''Configured''
+====Notes====
+<code bash>
+# View the Caddy log (add -n <num> to see the latest <num> entries, or -f to actively follow the log)
+journalctl -u caddy
+# Use updated config file
+systemctl reload caddy
+</code>
+Edit the Caddyfile at [[https://github.com/Archer4499/Configs/blob/master/Server/Caddy/Caddyfile]] to add or modify services then follow the command in [[#Update]] to update the file in the VM.
+Services that require setting Trusted Proxies:
+  * [[esxi:xpenology]]
+  * [[home:Home Assistant]]
+  * [[esxi:AMP Game Server]]
+@No_Backup
 ====Update====
 {{page>esxi:photon_os#Update&noheader}}
-  * FIXME: Describe update Process
+Check for updates and changelogs from: [[https://github.com/caddyserver/caddy/releases/latest]]
-  * Include in update all page using ''%%{{page>esxi:caddy_server#Update}}%%''
 <code bash>
-# Copy the link for the "caddy_2.x.x_linux_amd64.tar.gz" file from https://github.com/caddyserver/caddy/releases/latest
+# Check the current running version
-curl -OL "<DownloadLink>"
+caddy version
-tar -xzf <DownloadedFile>
-mv caddy /usr/bin/
+# Update Caddy
-cd /
+caddy update
-rm -r /tmp/caddy
+chmod 755 /usr/bin/caddy
+systemctl reload caddy
+# Once a year generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
+# Enter the key when this command asks
+read -rp "Enter api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
+# Reload the shell so it exports the tokens in this session
+exec $SHELL
+# Update just the Caddy config
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy/Caddyfile" /etc/caddy/Caddyfile
+# Update Config and HTML
+# Remove old folder if any files have been deleted/moved/renamed
+rm -r /etc/caddy
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
+chmod -R a=r,u+w,a+X /etc/caddy
+# Test updated Caddyfile
+caddy validate --config /etc/caddy/Caddyfile
+# Use updated config file
+systemctl reload caddy
 </code>
 ====Sources====
   * [[https://caddyserver.com/docs]]

Guides

User Tools

Site Tools

Differences

Page Tools