Differences

This shows you the differences between two versions of the page.

--- esxi:caddy_server [2020/07/05 17:25]
derek
+++ esxi:caddy_server [2025/12/25 09:41] (current)
derek
@@ Line 1: / Line 1: @@
 =====Caddy Server=====
-FIXME: Explain the page/service.
+Caddy is a reverse proxy and lightweight webserver that automatically acquires and uses https certificates.
-Using Caddy to host the list, Love Letter counter, and reverse proxy many internal sites
+Caddy is used here to host a list of links, the Love Letter counter, and reverse proxy many internal sites.
 ====Setup====
-First, install a base installation of Photon OS with the following changes:
+  * Set up DNS with Cloudflare using [[web:cloudflare|This Guide]]
+  * For each domain used:
+    * Navigate to each domain > ''DNS'':
+      * Add wildcard CNAME record:
+        * ''Add record''
+        * ''Type'' > ''CNAME''
+        * ''Name'' > '*'
+        * ''Target'' > <domain name>
+        * ''Proxy status'' > ''DNS only''
+        * ''Save''
+      * Add a 'SRV' record for any minecraft servers to allow accessing them using subdomains instead of port numbers
+        * If not using a wildcard CNAME record, add a CNAME record for the desired subdomain as above
+        * ''Add record''
+        * ''Type'' > ''SRV''
+        * ''Name'' > '_minecraft._tcp'
+        * ''Priority'' & ''Weight'' > 0
+        * ''Port'' > <port configured in minecraft server>
+        * ''Target'' > <full sub.domain name desired>
+        * ''Save''
+Install a base installation of Photon OS with the following changes:
   * Hostname: ''Caddy''
   * CPU: 1
@@ Line 12: / Line 32: @@
 ===Install Caddy Server:===
-  * Add a port forwarding rule in your router for tcp, port ''http,https'' to the IP of the VM
+  * Add a port forwarding rule in your router for tcp, port: ''http,https'' to the IP of this VM
   * Using an SSH client, connect to <hostname>:50001 then run:
@@ Line 19: / Line 39: @@
 sed -i "s/COMMIT/-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT\nCOMMIT/" /etc/systemd/scripts/ip4save
 reboot  # And then reconnect the SSH client
-# Download Caddy
-tdnf install tar
-mkdir /tmp/caddydir
-# Copy the link for the "caddy_2.x.x_linux_amd64.tar.gz" file from https://github.com/caddyserver/caddy/releases/latest
-curl -L -o /tmp/caddydir/caddy.tar.gz "<DownloadLink>"
-tar -xzf caddy.tar.gz -C /tmp/caddydir
-mv /tmp/caddydir/caddy /usr/bin/
-rm /tmp/caddydir/*
 # Add the caddy group and user
@@ Line 39: / Line 50: @@
     caddy
-# Config file and html pages
 cd /usr/bin
+# Download Caddy
+curl -L -o "caddy" "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fgreenpau%2Fcaddy-security&p=github.com%2Fcaddyserver%2Fntlm-transport&idempotency=99104049722873"
+chmod 755 caddy
+# Config file and html pages
 curl -L -o "fetch" "https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64"
 chmod u+x fetch
-# Generate a GitHub Personal Access Token at https://github.com/settings/tokens
-fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" --github-oauth-token="<GitHub PAT>" /etc/caddy
+# Generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
+# Enter the key when this command asks
+read -rp "Enter github api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
+# Reload the shell so it exports the tokens in this session
+exec $SHELL
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
 chmod -R a=r,u+w,a+X /etc/caddy
-# Setup startup, and run
+# Setup caddy startup service
 curl -L -o /etc/systemd/system/caddy.service "https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service"
 systemctl daemon-reload
-systemctl enable caddy
-systemctl start caddy
+# Get a DNS API token from https://dash.cloudflare.com/profile/api-tokens:
+#   Edit zone DNS > Use template:
+#     Zone.DNS:Edit permission
+#     Add a Permissions entry for: Zone.Zone:Read
+#     Restriction of the domain you're managing with Caddy
+#   Save/keep open the API token
+# Set up Google OAuth 2.0:
+#   Go to: [[https://console.cloud.google.com/projectcreate]]
+#   Follow the guide on [[https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0002-google]]
+#   Save/keep open the Client ID/Secret
+systemctl edit caddy
+# Paste in the following lines with their respective keys filled in:
+[Service]
+Environment="CF_API_TOKEN="
+Environment="GOOGLE_CLIENT_ID="
+Environment="GOOGLE_CLIENT_SECRET="
+# Then save and exit the file with: ESC, :wq
+# Enable and run the Caddy service
+systemctl enable --now caddy
 </code>
-  * Edit the VM note and append the following FIXME:
+  * Edit the VM note and append the following:
 <code>
+,443/tcp Http,Https Caddy
 </code>
   * Save a snapshot called ''Configured''
@@ Line 67: / Line 111: @@
 systemctl reload caddy
 </code>
+Edit the Caddyfile at [[https://github.com/Archer4499/Configs/blob/master/Server/Caddy/Caddyfile]] to add or modify services then follow the command in [[#Update]] to update the file in the VM.
+Services that require setting Trusted Proxies:
+  * [[esxi:xpenology]]
+  * [[home:Home Assistant]]
+  * [[esxi:AMP Game Server]]
 @No_Backup
@@ Line 73: / Line 124: @@
 {{page>esxi:photon_os#Update&noheader}}
+Check for updates and changelogs from: [[https://github.com/caddyserver/caddy/releases/latest]]
 <code bash>
-# Update Caddy
+# Check the current running version
 caddy version
-# Compare with the version from https://github.com/caddyserver/caddy/releases/latest and copy the link for the "caddy_2.x.x_linux_amd64.tar.gz" file if newer
-curl -L -o /tmp/caddydir/caddy.tar.gz "<DownloadLink>"
+# Update Caddy
-tar -xzf caddy.tar.gz -C /tmp/caddydir
+caddy update
-mv /tmp/caddydir/caddy /usr/bin/
+chmod 755 /usr/bin/caddy
-rm /tmp/caddydir/*
 systemctl reload caddy
-# Update just config
+# Once a year generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
-# Generate a GitHub Personal Access Token at https://github.com/settings/tokens
+# Enter the key when this command asks
-fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy/Caddyfile" --github-oauth-token="<GitHub PAT>" /etc/caddy/Caddyfile
+read -rp "Enter api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
+# Reload the shell so it exports the tokens in this session
+exec $SHELL
+# Update just the Caddy config
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy/Caddyfile" /etc/caddy/Caddyfile
 # Update Config and HTML
+# Remove old folder if any files have been deleted/moved/renamed
 rm -r /etc/caddy
-# Generate a GitHub Personal Access Token at https://github.com/settings/tokens
+fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
-fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" --github-oauth-token="<GitHub PAT>" /etc/caddy
 chmod -R a=r,u+w,a+X /etc/caddy
+# Test updated Caddyfile
+caddy validate --config /etc/caddy/Caddyfile
 # Use updated config file

Guides

User Tools

Site Tools

Differences

Page Tools