Caddy
Caddy is a free, open-source web server that automatically handles HTTPS certificates and configuration. It’s designed for simplicity and security, making it an excellent choice for both development and production environments.
Preparation
Docker network
First, a Docker network should be created. This means that it is then no longer necessary to publish ports for each individual service. Ports 80 and 443 for the proxy manager are then sufficient, as well as others in certain cases if necessary.
sudo docker network create proxy-network
Directory Structure
mkdir caddycd caddymkdir data configtouch Caddyfile docker-compose.yml
Caddyfile
{ acme_ca https://acme.zerossl.com/v2/DV90 email mail@hello.com}
homepage.domain.com { reverse_proxy homepage:80}
{ acme_ca https://acme-v02.api.letsencrypt.org/directory email mail@hello.com}
homepage.domain.com { reverse_proxy homepage:80}
Example service
Let’s create a simple web server as an example.
mkdir homepagecd homepagemkdir htmltouch html/index.htmltouch docker-compose.yml
<!DOCTYPE html><html> <head> <title>Homepage</title> </head> <body> <h1>Homepage</h1> <p>This is a homepage.</p> </body></html>
networks: proxy-network: external: true
### SERVICE ###services: homepage: container_name: homepage image: nginx:latest restart: unless-stopped networks: - proxy-network security_opt: - no-new-privileges:true volumes: - /html:/usr/share/nginx/html:ro
sudo docker compose up -d
Installation
The web server is already running, but without Caddy it is not accessible. First you have to change back to the caddy directory.
cd [...]/caddy
networks: proxy-network: external: true
services: caddy: image: caddy container_name: caddy restart: unless-stopped ports: - 80:80 - 443:443 volumes: - ./data:/data - ./config:/config - ./Caddyfile:/etc/caddy/Caddyfile:ro networks: - proxy-network
sudo docker compose up -d
The previously created homepage should now be accessible under homepage.domain.com
erreichbar sein.
Access restriction
An access restriction to certain IP addresses can be done in the Caddyfile.
{ acme_ca https://acme-v02.api.letsencrypt.org/directory email mail@domain.com}
(LAN_only) { @not_local { not remote_ip 192.168.0.0/16 } respond @not_local 403}
homepage.domain.com { reverse_proxy homepage:80 import LAN_only}
So only devices from the IP range 192.168.0.0
- 192.168.255.255
are allowed to access the homepage.
{ acme_ca https://acme-v02.api.letsencrypt.org/directory email mail@domain.com}
homepage.domain.com { @blocked not remote_ip private_ranges respond @blocked 403 reverse_proxy homepage:80}
Only the ranges 10.0.0.0/8
, 127.0.0.1/8
, 172.16.0.0/12
and 192.168.0.0/16
are allowed.
Update
Update Caddy using Docker Compose:
sudo docker compose pullsudo docker compose downsudo docker compose up -d