Caddy

出自Gea-Suan Lin's Wiki
跳至導覽 跳至搜尋

Caddy是一個HTTP伺服器,主打自動化HTTPS以及簡易的設定。

安裝

DebianUbuntu上都可以使用官方的APT repository安裝:

curl -Lfs https://dl.cloudsmith.io/public/caddy/stable/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg; echo -e "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main\ndeb-src [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" | sudo tee /etc/apt/sources.list.d/caddy-stable.list; sudo apt update; sudo apt install -y caddy; sudo apt clean

另外下面的範例會用到transform,可以透過這個指令安裝:

sudo caddy add-package github.com/caddyserver/transform-encoder

build.sh

目前我在用的/etc/caddy/build.sh

#!/bin/bash

xcaddy build \
        --with github.com/caddyserver/transform-encoder \
        --with github.com/jasonlovesdoggo/caddy-defender \
        --with github.com/mholt/caddy-ratelimit \
        --with github.com/shift72/caddy-geo-ip \
        --with github.com/xcaddyplugins/caddy-trusted-cloudfront
cp -f caddy /usr/bin/caddy.custom

xcaddy

xcaddy是官方維護的module管理套件,有蠻多module會需要透過xcaddy安裝,通常需要搭配Golang一起裝:

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg; curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-xcaddy.list; sudo apt update; sudo apt install -y golang xcaddy; sudo apt clean

這邊建議安裝新版的Golang,LTS或是stable的系統所附的版本可能會太舊。

設定

Template

重複使用設定的方法:

(subdomain-log) {
        log {
                format transform `{request>client_ip} - {request>user_id} [{ts}] "{request>method} {request>uri} {request>proto}" {status} {size} "{request>headers>Referer>[0]}" "{request>headers>User-Agent>[0]}"` {
                        time_format "02/Jan/2006:15:04:05 +0000"
                }
                output file /var/log/caddy/{args[0]}_access.log {
                        mode 0640
                }
        }
}

bar.example.com {
        # ...
        import subdomain-log bar.example.com
        # ...
}

foo.example.com {
        # ...
        import subdomain-log foo.example.com
        # ...
}

Rate Limit

這邊搭配了geo_ip與rate_limit的外部套件處理,要注意這邊用到的/usr/share/GeoLite2-Country.mmdb需要寫程式自動更新:

        geo_ip {
                db_path /usr/share/GeoLite2-Country.mmdb
        }

        rate_limit {
                zone nottw {
                        match expression `{geoip.country_code} != "TW"`
                        key {client_ip}
                        events 60
                        window 5m
                }
        }

相關連結

外部連結