Caddy

Caddy is a free, open-source web server that automatically handles HTTPS certificates and configuration. It’s designed for simplicity and security, making it an excellent choice for both development and production environments.

Preparation

Docker network

First, a Docker network should be created. This means that it is then no longer necessary to publish ports for each individual service. Ports 80 and 443 for the proxy manager are then sufficient, as well as others in certain cases if necessary.

Caution

Some devices (especially NAS systems) may already use ports 80 and 443. In such cases, consider creating a Macvlan network to handle port allocation.

sudo docker network create proxy-network

Directory Structure

mkdir caddy
cd caddy
mkdir data config
touch Caddyfile docker-compose.yml

Caddyfile

ZeroSSL

.../caddy/Caddyfile

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   mail@hello.com
}

homepage.domain.com {
    reverse_proxy homepage:80
}

Let's Encrypt

.../caddy/Caddyfile

{
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    email   mail@hello.com
}

homepage.domain.com {
    reverse_proxy homepage:80
}

Example service

Let’s create a simple web server as an example.

mkdir homepage
cd homepage
mkdir html
touch html/index.html
touch docker-compose.yml

.../homepage/html/index.html

<!DOCTYPE html>
<html>
  <head>
    <title>Homepage</title>
  </head>
  <body>
    <h1>Homepage</h1>
    <p>This is a homepage.</p>
  </body>
</html>

.../homepage/docker-compose.yml

networks:
  proxy-network:
    external: true

### SERVICE ###
services:
  homepage:
    container_name: homepage
    image: nginx:latest
    restart: unless-stopped
    networks:
      - proxy-network
    security_opt:
      - no-new-privileges:true
    volumes:
      - /html:/usr/share/nginx/html:ro

sudo docker compose up -d

Installation

The web server is already running, but without Caddy it is not accessible. First you have to change back to the caddy directory.

cd [...]/caddy

.../caddy/docker-compose.yml

networks:
  proxy-network:
    external: true

services:
  caddy:
    image: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data:/data
      - ./config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
    networks:
      - proxy-network

sudo docker compose up -d

Note

If behind a router, remember to forward ports 80 and 443 to your server.

The previously created homepage should now be accessible under homepage.domain.com erreichbar sein.

Access restriction

An access restriction to certain IP addresses can be done in the Caddyfile.

Custom

.../caddy/Caddyfile

{
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    email   mail@domain.com
}

(LAN_only) {
    @not_local {
        not remote_ip 192.168.0.0/16
    }
    respond @not_local 403
}

homepage.domain.com {
    reverse_proxy homepage:80
    import LAN_only
}

So only devices from the IP range 192.168.0.0 - 192.168.255.255 are allowed to access the homepage.

Privater Bereich

.../caddy/Caddyfile

{
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    email   mail@domain.com
}

homepage.domain.com {
    @blocked not remote_ip private_ranges
    respond @blocked 403
    reverse_proxy homepage:80
}

Only the ranges 10.0.0.0/8, 127.0.0.1/8, 172.16.0.0/12 and 192.168.0.0/16 are allowed.

Update

Update Caddy using Docker Compose:

sudo docker compose pull
sudo docker compose down
sudo docker compose up -d