Guides

User Tools

Site Tools

You are here: start » esxi » caddy_server
esxi:caddy_server

This is an old revision of the document!

Table of Contents

Caddy Server

Caddy is a reverse proxy and lightweight webserver that automatically acquires and uses https certificates. Caddy is used here to host a list of links, the Love Letter counter, and reverse proxy many internal sites.

Setup

  • Set up DNS with Cloudflare using This Guide
  • For each domain used:
    • Navigate to each domain > DNS:
      • Add wildcard CNAME record:
        • Add record
        • Type > CNAME
        • Name > '*'
        • Target > <domain name>
        • Proxy status > DNS only
        • Save
      • Add a 'SRV' record for any minecraft servers to allow accessing them using subdomains instead of port numbers
        • Add record
        • Type > SRV
        • Name > '_minecraft._tcp'
        • Priority & Weight > 0
        • Port > <port configured in minecraft server>
        • Target > <full sub.domain name desired>
        • Save

Install a base installation of Photon OS with the following changes:

  • Hostname: Caddy
  • CPU: 1
  • Memory: 2GB

Setup minimal installed profile of PhotonOS

  • Download the latest Photon OS OVA with virtual hardware v15 from https://github.com/vmware/photon/wiki/Downloading-Photon-OS
  • In ESXi:
    • Create/Register VM:
      • Deploy a virtual machine from an OVF or OVA file
      • Name the VM
      • Upload the Photon OS OVA file
      • Specify the desired Target Datastore
      • Accept the License Agreement
      • Deselect Power on automatically
      • Confirm settings and Finish
    • Wait for the files to upload
    • If autostart is desired for this machine go to Host > Manage > System > Autostart:
      • Click on the current VM
      • Enable
      • Use Start earlier and Start later to set the desired order
    • Go to Virtual Machines on the sidebar and click on the current VM
    • Actions > Edit Settings:
      • Set the required CPU and Memory requirements
      • If using NVMe storage for the datastore:
        • Add other device > NVMe controller
        • Hard Disk 1 > Controller location > NVMe controller 0
        • Save and reopen Edit Settings
        • Remove SCSI controller 0
      • Select other appropriate VM settings depending on desired applications
    • Power on the VM, then shut it down again to generate a MAC address
    • Give the VM a static IP address from your router using the generated MAC address (found under Hardware Configuration > Network adapter 1) and desired hostname
    • Power on the VM
    • Using an SSH client, connect to the hostname set above, then run:
# Login with root details from the VM note
# Follow instructions to set new password
 
# Remove docker related packages if not needed to save space and faster updates
tdnf erase containerd docker docker-cli docker-engine
 
# Update packages:
tdnf upgrade
tdnf clean all
 
# Disable password expiry:
chage -M -1 root
 
# Set new hostname:
hostnamectl set-hostname <hostname-as-set-in-router>
 
# Set the timezone to Perth
ln -sf /usr/share/zoneinfo/Australia/Perth /etc/localtime
 
# Change the SSH port to 50001:
sed -i "s/#Port 22/Port 50001/" /etc/ssh/sshd_config
sed -i "s/-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT/-A INPUT -p tcp -m tcp --dport 50001 -m state --state NEW -j ACCEPT/" /etc/systemd/scripts/ip4save
 
exit
  • Shut down the VM
  • Edit VM note to be the following:
Minimal installed profile of PhotonOS
User: root

Ports:
50001/tcp SSH
  • Save a snapshot called Base Install
2020/05/18 18:24 · derek

Install Caddy Server:

  • Add a port forwarding rule in your router for tcp, port: http,https to the IP of this VM
  • Using an SSH client, connect to <hostname>:50001 then run:
# Allow http/https through iptables
sed -i "s/COMMIT/-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT\nCOMMIT/" /etc/systemd/scripts/ip4save
reboot  # And then reconnect the SSH client
 
# Add the caddy group and user
groupadd --system caddy
useradd --system \
    --gid caddy \
    --create-home \
    --home-dir /var/lib/caddy \
    --shell /usr/sbin/nologin \
    --comment "Caddy web server" \
    caddy
 
cd /usr/bin
 
# Download Caddy
curl -L -o "caddy" "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2Fgreenpau%2Fcaddy-security&p=github.com%2Fcaddyserver%2Fntlm-transport&idempotency=99104049722873"
chmod 755 caddy
 
 
 
 
# Config file and html pages
curl -L -o "fetch" "https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64"
chmod u+x fetch
 
# Generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
# Enter the key when this command asks
read -rp "Enter github api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
# Reload the shell so it exports the tokens in this session
exec $SHELL
 
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
chmod -R a=r,u+w,a+X /etc/caddy
 
# Setup caddy startup service
curl -L -o /etc/systemd/system/caddy.service "https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service"
systemctl daemon-reload
 
# Get a DNS API token from https://dash.cloudflare.com/profile/api-tokens:
#   Edit zone DNS > Use template:
#     Zone.Zone:Read permission
#     Access to all zones
#   Save/keep open the API token
#   Edit zone DNS > Use template:
#     Zone.DNS:Edit permission
#     Restriction of the domain you're managing with Caddy
#   Save/keep open the API token
 
# Set up Google OAuth 2.0:
#   Go to: [[https://console.cloud.google.com/projectcreate]]
#   Follow the guide on [[https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0002-google]]
#   Save/keep open the Client ID/Secret
 
systemctl edit caddy
# Paste in the following lines with their respective keys filled in:
[Service]
Environment="CF_ZONE_TOKEN="
Environment="CF_API_TOKEN="
Environment="GOOGLE_CLIENT_ID="
Environment="GOOGLE_CLIENT_SECRET="
# Then save and exit the file with: ESC, :wq
 
# Enable and run the Caddy service
systemctl enable --now caddy
  • Edit the VM note and append the following:
80,443/tcp Http,Https Caddy
  • Save a snapshot called Configured

Notes

# View the Caddy log (add -n <num> to see the latest <num> entries, or -f to actively follow the log)
journalctl -u caddy
 
# Use updated config file
systemctl reload caddy

@No_Backup

Update

  • If desired, Log in to ESXi, navigate to the photon based VM and create new temporary snapshot
  • Using an SSH client, connect to <hostname>:50001 then run:
tdnf upgrade
tdnf clean all
reboot  # If desired/needed
2020/05/18 18:24 · derek

Check for updates and changelogs from: https://github.com/caddyserver/caddy/releases/latest 

# Check the current running version
caddy version
 
# Update Caddy
caddy update
systemctl reload caddy
 
# Once a year generate a GitHub Personal Access Token at https://github.com/settings/tokens with Read-Only Contents access to the Configs repo
# Enter the key when this command asks
read -rp "Enter api token: " token && echo "export GITHUB_OAUTH_TOKEN=$token" > /etc/profile.d/github_token.sh
# Reload the shell so it exports the tokens in this session
exec $SHELL
 
# Update just the Caddy config
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy/Caddyfile" /etc/caddy/Caddyfile
 
# Update Config and HTML
# Remove old folder if any files have been deleted/moved/renamed
rm -r /etc/caddy
fetch --repo="https://github.com/Archer4499/Configs" --branch="master" --source-path="/Server/Caddy" /etc/caddy
chmod -R a=r,u+w,a+X /etc/caddy
 
# Test updated Caddyfile
caddy validate --config /etc/caddy/Caddyfile
 
# Use updated config file
systemctl reload caddy

Sources

esxi/caddy_server.1722286314.txt.gz · Last modified: 2024/09/22 19:51 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki