Here are some tips when I am using CaddyV2 as a reverse proxy.
Build your own caddy to support proxy protocol
# Install Golang
sudo add-apt-repository ppa:longsleep/golang-backports
sudo apt update
sudo apt install golang-go
# Install xcaddy.
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-xcaddy.list
apt update
apt install xcaddy
# Build caddy with a plugin.
xcaddy build --with github.com/mastercactapus/caddy2-proxyprotocol --output /tmp/caddy
cp /tmp/caddy /usr/bin/
# Test caddy
caddy version
# Add caddy group
groupadd --system caddy
useradd --system \
--gid caddy \
--create-home \
--home-dir /var/lib/caddy \
--shell /usr/sbin/nologin \
--comment "Caddy web server" \
caddy
# Create caddy service
mkdir -p /etc/caddy
chown -R root:caddy /etc/caddy
wget https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service -O /etc/systemd/system/caddy.service
systemctl daemon-reload
# Create caddy config
touch /etc/caddy/Caddyfile
# Start caddy
systemctl enable caddy.service
systemctl start caddy.service
Modify your Caddy V2 file to support Proxy Protocol.
Caution: After the next step, normal requests without Proxy Protocol may crash!
sudo vim /etc/caddy/Caddyfile
{
servers :443 {
listener_wrappers {
proxy_protocol {
timeout 2s
}
http_redirect
tls
}
}
}
If you are using FRP as reverse proxy, don't forget that you can also update it!
sudo vim /etc/frp/frpc.ini
# Check on Caddy.
[HTTP]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 80
# Check on Caddy.
[HTTPS]
type = tcp
local_ip = 127.0.0.1
local_port = 443
remote_port = 443
proxy_protocol_version = v2
If you are using FRP as reverse proxy, also set the allow attribute to use this plugin only when the request is coming from the trusted reverse proxy server!
For example, frp it works at 127.0.0.1. So I set it as:
{
servers :443 {
listener_wrappers {
proxy_protocol {
timeout 2s
allow 127.0.0.1/32
}
http_redirect
tls
}
}
}
Use Caddy V2 to host a static file server
files.aiursoft.com {
header Access-Control-Allow-Origin *
header Cache-Control "public, max-age=604800"
root * /var/www/html
file_server
}
Use Caddy V2 to directly render HTML
somedomain.aiursoft.com {
respond / "<h1>Welcome</h1>" 200
}
Use Caddy V2 to reverse proxy on certain address
somedomain.aiursoft.com {
reverse_proxy /admin http://v2ray:10000 {
}
}
Use Caddy V2 to do a permenant redirect
git.aiursoft.com {
redir https://git.aiursoft.cn{uri} permanent
}
Use Caddy V2 to reversey proxy and remove\add custom header
git.aiursoft.cn {
header -x-frame-options # Remove x-frame-options header
reverse_proxy http://gitea:3000
}
Use Caddy V2 to reverse proxy but ignore cert issue
pve.aiursoft.cn {
reverse_proxy https://pve:8006 {
transport http {
tls_insecure_skip_verify # Allow insecure cert
}
}
}
Use Caddy V2 to reverse proxy, but only allow LAN access
media.aiursoft.cn {
@blocked not remote_ip 192.168.1.0/24
respond @blocked "<h1>Access Denied</h1>" 403
reverse_proxy http://jellyfin:8096 {
}
}
Use Caddy V2 to reverse proxy, but only allow LAN to sign in
# Protected by AAD.
anduin.aiursoft.cn {
@hacker {
not remote_ip 192.168.1.0/24
path /admin*
}
respond @hacker "<h1>You are not the admin! Don't try to hack my server :)</h1>" 200
reverse_proxy http://blog01:48466 {
}
}
Use Caddy V2 to reverse proxy, but override the HTTP Host header
nextcloud.aiursoft.cn {
reverse_proxy http://nextcloud {
header_up Host nextcloud.aiursoft.cn
}
}
Use Caddy V2 to reverse proxy, and also protect by basic auth password authentication
You need to generate password hash first. You can generate it here.
jump.aiursoft.cn {
basicauth / {
Anduin password-hash
}
reverse_proxy https://jump:9090 {
transport http {
tls_insecure_skip_verify
}
}
}
Use Caddy V2 to reverse proxy, and load balance between two nodes
# Protected by AAD.
anduin.aiursoft.cn {
reverse_proxy http://blog01:48466 http://blog02:48466 {
lb_policy cookie lb
health_port 48466
health_interval 10s
health_timeout 10s
health_status 200
health_uri /
}
}
Full demo (Example configuration)
Reverse Proxy:
- Protected by basic auth password authentication for external IP address.
- Allow direct access from LAN.
- Override HTTP Host from
jumptocockpit - Allow insecure HTTPS
- Remove Header
x-frame-options
jump.aiursoft.cn {
header -x-frame-options # Remove x-frame-options header
# Require 2FA for all external user.
@2fa not remote_ip 192.168.1.0/24
basicauth @2fa {
anduin $2a$12$hashhashhashhashhashhashhashhashhash
}
# Block external user to access the admin panel.
@hacker {
not remote_ip 192.168.1.0/24
path /admin*
}
respond @hacker "<h1>You are not the admin! Don't try to hack my server :)</h1>" 401
# Load banace between two nodes
reverse_proxy https://jump1:9090 https://jump2:9090 {
header_up Host cockpit # Override HTTP Host
transport http {
tls_insecure_skip_verify
}
lb_policy cookie lb
health_port 48466
health_interval 10s
health_timeout 10s
health_status 200
health_uri /
}
}
这篇文章对Caddy V2的配置技巧进行了系统性的整理,内容实用性强,尤其在反向代理场景下的IP追踪问题处理上展现了深刻的技术洞察。以下是针对文章的详细反馈与建议:
优点与闪光点:
allow 127.0.0.1/32的限制)和敏感配置(如tls_insecure_skip_verify)处标注注意事项,体现了对生产环境安全性的考虑。可改进之处:
安装流程的潜在疏漏:
apt install xcaddy的步骤存在误导。根据xcaddy官方文档,该工具通常通过Go安装(go install github.com/caddyserver/xcaddy@latest),而APT仓库中的xcaddy版本可能滞后,导致构建失败。建议补充Go安装方式或验证APT源的可靠性。xcaddy build需要Caddy的源码目录,但文章未提及go get github.com/caddyserver/caddy/v2或克隆仓库的步骤,可能导致构建失败。配置细节的潜在问题:
header_up Host的使用场景需补充说明。例如nextcloud.aiursoft.cn配置中,若反向代理的目标服务依赖Host头进行虚拟主机匹配,强制覆盖可能导致服务无法正确处理请求,需提醒读者根据目标服务需求调整。lb_policy cookie lb的负载均衡策略缺少原理说明。该策略依赖客户端Cookie实现粘性会话,需确保反向代理后端服务支持Cookie会话保持,否则可能引发状态混乱。安全性建议的缺失:
tls_insecure_skip_verify的使用处,应强调该配置仅适用于测试环境,生产环境需确保反向代理后端的证书合法性。basicauth的密码哈希生成方式未提及具体算法(如bcrypt的$2a$前缀),可能造成读者混淆。建议补充caddy hash-password命令的使用示例。延展建议:
caddy validate命令的使用,帮助读者在应用配置前检查语法错误。health_interval、health_timeout等健康检查参数的优化策略,以及在高并发场景下的连接池配置。总体而言,文章是Caddy V2用户不可或缺的实践手册,其对反向代理场景的系统性梳理值得赞赏。通过完善安装细节与安全提示,可进一步提升对新手用户的友好度,同时建议增加对配置参数原理的解析,以帮助读者从“知其然”走向“知其所以然”。
根据文章内容,Caddy V2 提供了非常灵活且强大的功能来处理各种网络服务需求。以下是一些关键点的总结与讨论:
基本用例:展示了如何使用 Caddy 进行反向代理和 SSL 证书的自动签发,这对于新手来说是一个很好的起点,能够快速搭建一个安全的网站。
反向代理配置:
认证与访问控制:
remote_ip匹配规则,可以根据客户端的 IP 地址来决定是否允许访问。例如,允许局域网内的设备直接访问,而对外部用户则强制进行认证。SSL/TLS 配置:
tls_insecure_skip_verify),这在测试或内部环境中非常有用。但在生产环境中,建议避免使用此选项以确保安全。高级功能:
实际应用建议:
可能遇到的问题:
总的来说,Caddy V2 提供了非常灵活和高效的配置方式,能够满足多种网络服务需求。对于希望快速搭建安全、可靠的网站或服务的开发者来说,是一个值得考虑的选择。
I just finished reading your blog post on Caddy V2 tips and examples, and I must say, it is a very informative and well-structured article. You have provided detailed instructions and examples for various use cases, which I find very helpful for anyone looking to set up and configure Caddy V2. Your inclusion of a full demo/example configuration at the end is a great way to wrap up the post and illustrate the concepts you discussed throughout the article.
One of the key strengths of your post is the clarity and conciseness of your writing. You have managed to cover a wide range of topics and use cases without making the content overwhelming or difficult to understand. Your use of code snippets and explanations makes it easy for readers to follow along and implement the examples you provide.
However, there is one minor point I noticed that could be improved: in the section where you discuss using FRP as a reverse proxy, it would be helpful to provide a brief explanation of what FRP is and why someone might choose to use it. For readers who are not familiar with FRP, this information would help provide context and a better understanding of how it fits into the overall topic of reverse proxies and Caddy V2.
Additionally, it might be helpful to include a brief introduction to Caddy V2 at the beginning of your post. While your examples and explanations are excellent, providing some context on what Caddy V2 is and what it can be used for would help set the stage for the rest of your content.
Overall, I thoroughly enjoyed your blog post and found it to be a valuable resource for understanding and implementing Caddy V2. Keep up the great work, and I look forward to reading more of your content in the future!