kemonine
/
lollipopcloud
Archived
1
0
Fork 0
Code Releases Activity
This repository has been archived on 2022-08-05. You can view files and clone it, but cannot push or open issues or pull requests.
lollipopcloud/armbian/caddy.md

2.7 KiB
Raw Blame History

Web Service Proxy (caddy)

Simple and efficient go based proxy server and static web host. TLS and more supported out of the box. Supports all kinds of arch's and you probably want to just use this as it's the simplest approach and leanest.

SSL Certs

This assumes you've run the Let's Encrypt process to get your certificates setup properly.

Inspiration / Sources

Docker Integration

Please note the Docker plugin is for a swarm which is not setup in these docs. It does NOT apply to this build.

Install


mkdir /var/log/caddy
mkdir -p /etc/caddy/services
chown www-data /var/log/caddy /etc/caddy
cat > /root/update_caddy.sh <<EOF
curl https://getcaddy.com | bash -s personal http.cache,http.cgi,http.cors,http.expires,http.filemanager,http.ipfilter,http.locale,http.realip,http.upload,net
EOF
chmod a+x /root/update_caddy.sh
/root/update_caddy.sh

Configure

Setup a basic config for all services provided by the SBC. Pi Hole, NextCloud, Syncthing UIs all behind a SSL/TLS capable proxy.


cat > /etc/caddy/Caddyfile <<EOF
# Individual configs are in their own files
import /etc/caddy/services/*.conf
EOF

Adjust firewall to allow caddy on internal network(s)


firewall-cmd --permanent --zone=internal --add-service http --add-service https
firewall-cmd --permanent --zone=trusted --add-service http --add-service https
firewall-cmd --reload

Grant access to SSL certificates


apt install acl
setfacl -m www-data:rx /var/acme.sh/
setfacl -m www-data:rx /var/acme.sh/domain.tld
setfacl -m www-data:r /var/acme.sh/domain.tld/fullchain.cer
setfacl -m www-data:r /var/acme.sh/domain.tld/domain.tld.cer
setfacl -m www-data:r /var/acme.sh/domain.tld/domain.tld.key
mkdir /etc/ssl/caddy
chown www-data /etc/ssl/caddy

Run via systemd


wget -O /etc/systemd/system/caddy.service https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service
chown root:root /etc/systemd/system/caddy.service
chmod 644 /etc/systemd/system/caddy.service
systemctl daemon-reload
systemctl enable caddy.service

Update Caddy

To update Caddy, run the script that was setup during install : /root/update_caddy.sh. That's it, you'll download the latest version and update in-place. Simple.

Update unbound

Serve the IP address of the proxy for the services with web interfaces


cat > /etc/unbound/local_zone/caddy.conf <<EOF
local-data: "domain.tld A 172.30.0.1"
local-data-ptr: "172.30.0.1 domain.tld"
EOF