Caddy Webserver Config - cloudron-io/wekan GitHub Wiki
Caddy OAuth2 with Let's Encrypt SSL example
CloudFlare free wildcard SSL start
Also works with other SSL certs.
1) Requirements: You have changed nameservers to CloudFlare.
2) Get CloudFlare SSL wildcard Origin Certificate
Go to CloudFlare login/example.com/Crypto/Origin Certificates.
Create and download certs for *.example.com, example.com
3) Create directory /var/snap/wekan/common/certs
sudo su
cd /var/snap/wekan/common
mkdir certs
cd certs
4) Create cert file
Create file: example.com.pem with content of CloudFlare Origin Certificates.
nano example.com.pem
There add certs:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Then Save: Ctrl-o Enter
Then Exit: Ctrl-x.
5) Set permissions rw-r--r-- to example.com.pem:
chmod 644 example.com.pem
6) Edit Caddy webserver config
sudo nano /var/snap/wekan/common/Caddyfile
There change config:
http://example.com https://example.com {
tls {
load /var/snap/wekan/common/certs
alpn http/1.1
}
proxy / localhost:3001 {
websocket
transparent
}
}
Save: Ctrl-o Enter
Exit: Ctrl-x
Enable Caddy:
sudo snap set wekan caddy-enabled='true'
sudo snap set wekan port='3001'
sudo snap set wekan root-url='https://example.com'
7) Enable CloudFlare SSL
Click CloudFlare login/example.com/DNS.
Check that status of your domains have orange cloud color, so traffic goes through CloudFlare SSL.
Click CloudFlare login/example.com/Page Rules. Set for example:
1) http://example.com/*
Always Use HTTPS
2) http://*.example.com/*
Always use HTTPS
Optionally, if you want caching:
3) *example.com/*
Cache Level: Cache Everything
CloudFlare free wildcard SSL end
Other config stuff
List of Let's Encrypt implementations
Caddy webserver config with logs
Create directory for caddy, website and logs:
mkdir -p ~/caddy/example.com ~/caddy/logs
Add this config to ~/caddy/Caddyfile
There's also some extra examples.
example.com {
root /home/username/caddy/example.com
# Static website, markdown or html
ext .md .html
proxy /wekan 127.0.0.1:3000 {
websocket
}
log /home/username/caddy/logs/wekan-access.log {
rotate {
size 100 # Rotate after 100 MB
age 7 # Keep log files for 7 days
keep 52 # Keep at most 52 log files
}
}
errors {
log /home/username/caddy/logs/wekan-error.log {
size 100 # Rotate after 100 MB
age 7 # Keep log files for 7 days
keep 52 # Keep at most 52 log files
}
}
}
example.com/files {
root /home/username/files
# View files in directory, has sorting in browser
browse
}
Install Caddy. Change username to what user you run caddy, like in /home/username , and Let's Encrypt email to your email adderess:
# Install caddy with some plugins
curl https://getcaddy.com | bash -s personal http.ipfilter,http.mailout,http.ratelimit,http.realip
Give permissions to caddy to bind 80 and 443
sudo setcap cap_net_bind_service=+ep /usr/local/bin/caddy
And this service file for Caddy to /etc/systemd/system/[email protected]
; see `man systemd.unit` for configuration details
; the man section also explains *specifiers* `%x`
[Unit]
Description=Caddy HTTP/2 web server %I
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target
Wants=systemd-networkd-wait-online.service
[Service]
; run user and group for caddy
User=username
Group=username
ExecStart=/home/username/caddy/caddy -conf=/home/username/caddy/Caddyfile -agree -email="[email protected]"
Restart=on-failure
StartLimitInterval=86400
StartLimitBurst=5
RestartSec=10
ExecReload=/bin/kill -USR1 $MAINPID
; limit the number of file descriptors, see `man systemd.exec` for more limit settings
LimitNOFILE=1048576
LimitNPROC=64
; create a private temp folder that is not shared with other processes
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Start caddy and enable service:
sudo systemctl daemon-reload
sudo systemctl start caddy@username
sudo systemctl enable caddy@username