============================
caddy2 文檔
============================
https://caddy2.dengxiaolong.com/docs/
https://github.com/phpple/caddy2-cn-doc
============================
網站路徑規划
============================
/root/web/caddy 目錄存儲Caddyfile
/root/web/site 目錄存儲web網頁
/${HOME}/.local/share/caddy Caddy2 會自動創建的 data storage 目錄,用來存儲CA證書
/${HOME}/.config/caddy/ Caddy2會自動創建的配置文件路徑,比如存放 autosave.json 文件等
============================
CentOS 7環境的下載並安裝
============================
最好是關閉SELinux, 否則 systemctl 自動啟動會碰到很多問題.
#download wget https://github.com/caddyserver/caddy/releases/download/v2.4.6/caddy_2.4.6_linux_amd64.tar.gz #upzip tar -zxf caddy_2.4.6_linux_amd64.tar.gz caddy #copy file to program path mv ./caddy /usr/local/bin/ #設置僅root賬號能寫caddy二進制文件,其他賬號可讀可執行 chmod 755 /usr/local/bin/caddy #check caddy 程序 which caddy caddy version
============================
創建專有的用戶
============================
systemd service自動啟動需要先設置專有的用戶
groupadd --system caddy useradd --system \ --gid caddy \ --create-home \ --home-dir /var/lib/caddy \ --shell /usr/sbin/nologin \ --comment "Caddy web server" \ caddy
============================
創建相關目錄和文件
============================
#創建一個空的 Caddyfile, 該文件並不是json格式, Caddy還支持另一種adapt的Json配置文件, 用的較少 #推薦將Caddyfile放到 /etc/caddy 路徑下,這里為了方便備份放到 root 賬號的路徑下了。 mkdir -p /root/web/caddy/ #設置目錄的owner為root賬號和caddy group賬號 chown -R root:caddy /root/web/caddy
touch /root/web/caddy/Caddyfile
#創建web網頁的存儲目錄 mkdir -p /root/web/site #將目錄的owner設置好為caddy group和user賬號 chown caddy:caddy /root/web/site
============================
創建自啟動服務配置文件
============================
#該配置文件中包含 Caddyfile 路徑 touch /etc/systemd/system/caddy.service #設置僅root賬號可以修改該文件 chmod 644 /etc/systemd/system/caddy.service
下面是 /etc/systemd/system/caddy.service 文件的內容, 摘自caddy 的 github caddy.service 文件.
修改的僅僅是caddy 的執行路徑:
# caddy.service # # For using Caddy with a config file. # # Make sure the ExecStart and ExecReload commands are correct # for your installation. # # See https://caddyserver.com/docs/install for instructions. # # WARNING: This service does not use the --resume flag, so if you # use the API to make changes, they will be overwritten by the # Caddyfile next time the service is restarted. If you intend to # use Caddy's API to configure it, add the --resume flag to the # `caddy run` command or use the caddy-api.service file instead. [Unit] Description=Caddy Documentation=https://caddyserver.com/docs/ After=network.target network-online.target Requires=network-online.target [Service] Type=notify
User=caddy Group=caddy ExecStart=/usr/local/bin/caddy run --environ --config /root/web/caddy/Caddyfile ExecReload=/usr/local/bin/caddy reload --config /root/web/caddy/Caddyfile TimeoutStopSec=5s LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
============================
設置80/443端口防火牆
============================
#(可選,僅CentOS),關閉防火牆(如果之前沒關閉的話) systemctl status firewalld systemctl stop firewalld systemctl mask firewalld # 如果不想關閉,可以加如下規則 firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --reload
============================
啟動 Caddy 服務
============================
# reloading daemon to apply caddy system service file sudo systemctl daemon-reload # starting caddy sudo systemctl start caddy # activating caddy system file sudo systemctl enable caddy sudo systemctl restart caddy
#check status
systemctl status caddy.service
============================
幾種配置域名SSL證書的方式
============================
1 自簽名方式,caddyfile中的語法: tls self_signed Caddy生成一個不可信的自簽名證書,但可達到了密文傳輸的效果, 該證書持續7天,所以它一般僅用於本地開發。 2. 手工向證書發行方申請 手動從證書發行方申請證書,然后在Caddy配置中指定證書和秘鑰文件路徑: tls /path/example.com.crt /path/example.com.key 3. 主機自動申請方式 如果目標域名(例如: example.com)已經解析到了本機,那么 Caddy2 啟動后會嘗試自動通過 ACME HTTP 申請證書(默認的證書發行方為 let's encrypt)。 優點:配置簡單, 語法如下, 后面的 email 參數是告知 CA 申請人的郵箱。 tls email 2. dns 自動申請方式 Let's encrypt通過域名服務商提供的域名解析記錄api,來驗證我們對域名的所有權。 優點:不需要任何公網IP地址,只要通過dns的解析記錄即可完成驗證; 另外,如果網站啟用了 CDN,必須使用這個方式。 缺點:配置比較麻煩,需要設置一些環境變量,另外還需要下載對應dns 服務商的插件(插件簡化了caddy調用DNS服務商API的過程),。 caddyfile中的語法: tls { dns <provider> ... }
==================================
編輯 Caddyfile 文件,並實現域名HTTP重定向HTTPS
==================================
/root/web/caddy/Caddyfile 文件內容如下:
下面配置已經支持404錯誤跳轉,
http://example.com { redir https://example.com{url} } https://example.com { tls hostmaster@example.com root * /root/web/site encode gzip file_server header / { Content-Security-Policy = "upgrade-insecure-requests; default-src 'self'; style-src 'self'; script-src 'self'; img-src 'self'; object-src 'self'; worker-src 'self'; manifest-src 'self';" Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" X-Xss-Protection = "1; mode=block" X-Frame-Options = "DENY" X-Content-Type-Options = "nosniff" Referrer-Policy = "strict-origin-when-cross-origin" Permissions-Policy = "fullscreen=(self)" cache-control = "max-age=0,no-cache,no-store,must-revalidate" }
handle_errors {
@404 {
expression {http.error.status_code}==404
}
rewrite @404 /404.html
file_server
} }
說明:
1.First line tells the caddy the domain name(example.com) that block of configuration belongs to. It’s also used to fetch SSL certificates.
2.The TLS block helps us to configure SSL for the domain, for this specific file configuration email the hostname for any issuance and errors in the SSL fetching and configuration
3.Root tells the root directory of the website contents
4.Encoding of the content
5.File_server helps caddy to serve static files
6.Header block tells caddy to send these headers along with the response, the specific config tells caddy to serve CSP, XSS, HSTS and cache control headers along with the response
============================
常用命令
============================
# 以后台的方式啟動 caddy caddy start --config /root/web/caddy/Caddyfile # 以前台的方式啟動 caddy caddy run --config /root/web/caddy/Caddyfile # 停止 caddy stop # reload 配置文件 caddy reload --config /root/web/caddy/Caddyfile # 安裝 CA 證書到本地目錄 caddy trust # 美化(格式化) Caddyfile caddy fmt --overwrite /root/web/caddy/Caddyfile # 將標准的 Caddyfile 轉成 json 格式的等效配置文件, 一般不用這種配置文件 caddy adapt --config /root/web/caddy/Caddyfile -pretty
下面是 caddy start -config /root/web/caddy/Caddyfile 的啟動截圖:
============================
調整 ulimit 限定和 file-max 設定
============================
linux對每個用戶都有默認的 ulimit 限制,一般情況下這這些設定值不適合作為web 服務器, 需要上調設定值, 設定值分soft和 hard兩類, 硬配置必須大於等於軟配置。
vi /etc/security/limits.conf # 新增內容 * soft noproc 10240 * hard noproc 10240 * soft nofile 10240 * hard nofile 10240
ulimit 設定的是每個用戶可打開句柄, fs.file-max 參數是整個操作系統可以打開的文件句柄數
vi /etc/sysctl.conf # 新增內容 fs.file-max = 6553560
設置后需要重啟Linux.
============================
參考
============================
https://caddy2.dengxiaolong.com/docs/
https://github.com/phpple/caddy2-cn-doc
https://www.jianshu.com/p/808a479ad138
https://www.geeksforgeeks.org/how-to-deploy-static-website-using-caddy-webserver/
https://zhuanlan.zhihu.com/p/389189311
https://tophat.top/posts/47d46cc9.html
https://vip.kingdee.com/article/2478?productLineId=1