caddy 配置学习
2024年8月17日...大约 2 分钟
caddy 下载
caddyfile 配置文件
{
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path {$HOME}/.local/caddy/users.json
user change {
name change
email change@localhost.localdomain
password "Change@2024"
roles authp/user
}
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
cookie domain shuobude.top
cookie lifetime 86400
cookie insecure off
enable identity store localdb
ui {
links {
"访问IDE"https://vs.shuobude.top/ icon "las la-code"
"My Identity" "/whoami" icon "las la-key"
"User Dashboard" /auth/profile/ icon "las la-cog"
}
}
}
authorization policy users_policy {
set auth url https://auth.shuobude.top/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.shuobude.top/
allow roles authp/admin
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/admin
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
(tls_config) {
tls {
dns alidns {
access_key_id xxxxxxx # 阿里云 AccessKey ID
access_key_secret xxxxxxx # 阿里云 AccessKey Secret
}
}
}
auth.shuobude.top {
import tls_config
route /users* {
authorize with users_policy
respond * "assetq - users" 200
}
route /admins* {
authorize with admins_policy
respond * "assetq - admins" 200
}
route {
authenticate with myportal
}
}
vs.shuobude.top {
import tls_config
route {
authorize with users_policy
reverse_proxy localhost:3000
}
}安全认证相关配置
# 安全认证相关配置 插件 `greenpau/caddy-security`,注意区别 `authenticate` 和 `authorize` [官方链接](https://docs.authcrunch.com/docs/intro)
# 虽然使用了认证,最好配置不同的域名,单域名貌似没有办法实现。没验证
{
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path {$HOME}/.local/caddy/users.json
user change {
name admin
email admin@localhost.localdomain
password "admin@2024"
roles authp/user
}
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
cookie domain shuobude.top
cookie lifetime 86400
cookie insecure off
enable identity store localdb
ui {
links {
"访问IDE"https://vs.shuobude.top/ icon "las la-code"
"My Identity" "/whoami" icon "las la-key"
"User Dashboard" /auth/profile/ icon "las la-cog"
}
}
}
authorization policy users_policy {
set auth url https://auth.shuobude.top/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.shuobude.top/
allow roles authp/admin
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/admin
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}域名证书申请
# 使用阿里云dns 插件实现域名证书申请,插件 `caddy-dns/alidns`
(tls_config) {
tls {
dns alidns {
access_key_id xxxxxxx # 阿里云 AccessKey ID
access_key_secret xxxxxxx # 阿里云 AccessKey Secret
}
}
}站点配置
# 配置一下站点
vs.shuobude.top {
import tls_config
route {
authorize with users_policy
reverse_proxy localhost:3000
}
}systemd 配置
# 配置caddy.service `/lib/systemd/system/caddy.service`
[Unit]
Description=Caddy Web Server
After=network.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
#PrivateTmp=true
#ProtectSystem=true
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=default.target贡献者
change