Caddy中文使用指南

本文主要以我个人日常使用为主,不会或者简略说下不用的功能

快速部署

基于docker进行容器化部署,易于上手,快速部署。目前版本为0.11.2

快速部署

version: '2.1'
services:
  caddy:
    image: spanda/caddy
    container_name: caddy
    volumes:
    - ./ssl:/root/.caddy
    - /var/log/caddy:/var/log/caddy
    - ./Caddyfile:/etc/Caddyfile
    - /root/.ssh:/root/.ssh
    network_mode: host
    restart: always

简单说一下持久化项,

  • ssl目录,主要存储证书持久化数据
  • /var/log/caddy目录, 主要存放相关日志
  • Caddyfile目录, caddy配置文件
  • /root/.ssh目录, 主要是用于hugo部署博客所需,可选

镜像说明

镜像spanda/caddy,基础镜像是基于debian(spanda/ptcore)

默认安装了大部分DIRECTIVES/MIDDLEWARE,DNS PROVIDERS仅安装了cloudflareroute53,以及net,hook.service , 正常情况我会同步更新caddy,具体可参考Caddy dockerfile

Caddyfile

简单介绍一下Caddyfile配置文件,格式与CoreDNS配置一致。

  • 1.使用UTF-8编码,区别大小写
  • 2.使用#注释
  • 3.首行需要是站点地址,注释除外
localhost:7070
  • 4.站点地址后以指令开头,如果有指令需要更多配置,可以使用指令块来设置更多配置项。块使用大括号来标识,且大括号开始位于一行行尾,结束的大括号必须独占一行
# example 1
localhost:7070
log /var/log/caddy/access.log
markdown /blog {
    css /blog.css
    js  /scripts.js
}
# example 2
ysicing.me {
    root /www/ysicing/home
}

dev.ysicing.me {
    root /www/ysicing/dev
    gzip
    log /var/log/caddy/access.dev.log
}

http/https

  • 站点地址,需要唯一

常用用法

ysicing.me
ysicing.me:7070
http://ysicing.me
https://ysicing.me
*.ysicing.me
  • 常用占位符

可以参考placeholders

我个人常用有

# 请求
{>Header}
{host}	
{method}
{path}		
{query}	
{?key}	
{remote}	
{scheme}	
{uri}	
{when}	
# 响应
{<Header}	
{status}	

常用指令

basicauth

# example 1
basicauth /love 用户名 密码
# example 2
basicauth 用户名 密码 {
    realm "访问限制名(可选)"
    路径
}

log

默认日志是输出到文件,也可以push到远程syslog服务上

    log / /var/log/caddy/access.log "{remote} {when} {method} {uri} {proto} {status} {size} {>User-Agent} {latency}" {
   	rotate_size 50  # Rotate after 50 MB
	rotate_age  90  # Keep rotated files for 90 days
	rotate_keep 20  # Keep at most 20 log files
	rotate_compress # Compress rotated log files in gzip format
    }

gzip

启用gzip压缩

启用HSTS等安全机制

header / {
	Strict-Transport-Security "max-age=31536000;"
	# Enable cross-site filter (XSS) and tell browser to block detected attacks
	X-XSS-Protection "1; mode=block"
	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
	X-Content-Type-Options "nosniff"
	# Disallow the site to be rendered within a frame (clickjacking protection)
	X-Frame-Options "DENY"
}

proxy

proxy提供了基本的反向代理和稳健的负载均衡器。支持多个后端和添加自定义标头。负载均衡功能包括多个策略,运行状况检查和故障转移, 还可以代理 WebSocket 连接。

# example 1
proxy /stream localhost:8080 {
    transparent
	websocket
}
# example 2
proxy / web1:80 web2:80 web3:80 {
	policy round_robin
	health_check /health
    transparent
    websocket
}

其中websocket等同于

header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}

 其中transparent等同于

header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}

redir

重定向,我很少用,当协议为http为重定向到https

redir 301 {
    if {>X-Forwarded-Proto} is http
	/  https://{host}{uri}
}

rewrite

URL重写。可以参见官方文档

rewrite {
	if {>User-agent} has mobile
	to {path} {path}/ /mobile/index.php
}

实践

简单参考利用Caddy部署Hugo博客一文,这里具体解析一下Caddyfile

ysicing.me www.ysicing.me {
    # 启用压缩
    gzip
    # 启用监控
    prometheus 
    # 日志
    log / /var/log/caddy/ysicing.me.log "{remote} {when} {method} {uri} {proto} {status} {size} {>User-Agent} {latency}" {
   	rotate_size 50
	rotate_age  90
	rotate_keep 20
	rotate_compress
    }
    # 证书
    tls root@ysicing.net
    header / {
    	Strict-Transport-Security "max-age=31536000;includeSubDomains;preload"
    	Access-Control-Allow-Origin  *
	    Access-Control-Allow-Methods "GET, POST, OPTIONS"
    	X-XSS-Protection "1; mode=block"
	    X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        # 自定义
        X-Custom-Header "us.n1.ysicing.me"
	    -Server
    }
    # 静态资源缓存
    cache {
        match_path /assets
        status_header X-Cache-Status
        default_max_age 60m
        path /tmp/caddy-cache
    }
    # 访问权限
    basicauth love 12345678 {
        realm "傻狗自言自语"
        /posts/love/
    }
    # 错误页
    errors {
        * /tmp/404.html
    }
    # hugo部分 start
    root /tmp/blog/public
    git {
        repo git@repo.spanda.io:ysicing.me/website.git
        path /tmp/blog
        branch master
        key      /root/.ssh/id_rsa
        then hugo --destination=/tmp/blog/public
        hook /webhook GithubSK
        hook_type gogs
        clone_args --recursive
        pull_args --recurse-submodules
        interval 86400
    }
    hugo
    # hugo部分 end
    # 重定向
    redir 301 {
        if {host} starts_with www
        /   https://ysicing.me{uri}
    }
}

推荐阅读