Skip to main content

Caddy

Caddy is a free, open source, proxy server. It is designed to be easy to install and use, and is designed to be easy to deploy.

Preparation

Docker network

First, a Docker network should be created. This means that it is then no longer necessary to publish ports for each individual service. Ports 80 and 443 for the proxy manager are then sufficient, as well as others in certain cases if necessary.

caution

On some devices (especially on pre-build NAS devices) it is not possible to release port 80 and 443 because these ports are already used by another service. At this point you can first create a Macvlan network on which ports 80 and 443 can be released.

sudo docker network create proxy-network

Create directory

mkdir caddy
cd caddy
mkdir data
mkdir config
touch Caddyfile docker-compose.yml

Caddyfile

.../caddy/Caddyfile
{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   mail@hello.com
}

homepage.domain.de {
    reverse_proxy homepage:80
}
info

In meinem Beispiel wird ZeroSSL genutzt.

Example service

I will use a web server as an example service.

mkdir homepage
cd homepage
mkdir html
touch html/index.html
touch docker-compose.yml
.../homepage/html/index.html
<!DOCTYPE html>
<html>
  <head>
    <title>Homepage</title>
  </head>
  <body>
    <h1>Homepage</h1>
    <p>Dies ist die Homepage.</p>
  </body>
</html>
.../homepage/docker-compose.yml
version: "3.7"

networks:
  proxy-network:
    external:
      name: proxy-network

### SERVICE ###
services:
  homepage:
    container_name: homepage
    image: nginx:latest
    restart: unless-stopped
    networks:
      - proxy-network
    security_opt:
      - no-new-privileges:true
    volumes:
      - /html:/usr/share/nginx/html:ro
sudo docker compose up -d

Installation

The web server is already running, but without Caddy it is not accessible. First you have to change back to the caddy directory.

cd [...]/caddy
.../caddy/docker-compose.yml
version: "3.7"

networks:
  proxy-network:
    external:
      name: proxy-network

services:
  caddy:
    image: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data:/data
      - ./config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
    networks:
      - proxy-network
sudo docker compose up -d
info

For Docker Compose version 1, the command is sudo docker-compose up -d.

info

If you are on a network behind a router, you must forward ports 80 and 443 to the server.

The previously created homepage should now be accessible under homepage.domain.de.

Access restriction

An access restriction to certain IP addresses can be done in the caddyfile.

.../caddy/Caddyfile
{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   mail@hello.com
}

(LAN_only) {
    @not_local {
        not remote_ip 192.168.0.0/16
    }
    respond @not_local 403
}

homepage.domain.de {
    reverse_proxy homepage:80
    import LAN_only
}

So only devices from the IP range 192.168.0.0 - 192.168.255.255 are allowed to access the homepage.

Update

Thanks to Docker and Docker Compose, updating Caddy is easy.

sudo docker compose pull
sudo docker compose down
sudo docker compose up -d