Caddy中文使用指南

方缘之道 / 2019-07-09 18:11

本文主要以我个人日常使用为主,不会或者简略说下不用的功能

快速部署

基于docker进行容器化部署,易于上手,快速部署。目前版本为0.11.2

快速部署

version: '2.1'  services:    caddy:      image: spanda/caddy      container_name: caddy      volumes:      - ./ssl:/root/.caddy      - /var/log/caddy:/var/log/caddy      - ./Caddyfile:/etc/Caddyfile      - /root/.ssh:/root/.ssh      network_mode: host      restart: always  

简单说一下持久化项,

  • ssl目录,主要存储证书持久化数据
  • /var/log/caddy目录, 主要存放相关日志
  • Caddyfile目录, caddy配置文件
  • /root/.ssh目录, 主要是用于hugo部署博客所需,可选

镜像说明

镜像spanda/caddy,基础镜像是基于debian(spanda/ptcore)

默认安装了大部分DIRECTIVES/MIDDLEWARE,DNS PROVIDERS仅安装了cloudflareroute53,以及net,hook.service , 正常情况我会同步更新caddy,具体可参考Caddy dockerfile

Caddyfile

简单介绍一下Caddyfile配置文件,格式与CoreDNS配置一致。

  • 1.使用UTF-8编码,区别大小写
  • 2.使用#注释
  • 3.首行需要是站点地址,注释除外
localhost:7070  
  • 4.站点地址后以指令开头,如果有指令需要更多配置,可以使用指令块来设置更多配置项。块使用大括号来标识,且大括号开始位于一行行尾,结束的大括号必须独占一行
# example 1  localhost:7070  log /var/log/caddy/access.log  markdown /blog {      css /blog.css      js  /scripts.js  }  # example 2  ysicing.me {      root /www/ysicing/home  }    dev.ysicing.me {      root /www/ysicing/dev      gzip      log /var/log/caddy/access.dev.log  }  

http/https

  • 站点地址,需要唯一

常用用法

ysicing.me  ysicing.me:7070  http://ysicing.me  https://ysicing.me  *.ysicing.me  
  • 常用占位符

可以参考placeholders

我个人常用有

# 请求  {>Header}  {host}	  {method}  {path}		  {query}	  {?key}	  {remote}	  {scheme}	  {uri}	  {when}	  # 响应  {<Header}	  {status}	  

常用指令

basicauth

# example 1  basicauth /love 用户名 密码  # example 2  basicauth 用户名 密码 {      realm "访问限制名(可选)"      路径  }  

log

默认日志是输出到文件,也可以push到远程syslog服务上

    log / /var/log/caddy/access.log "{remote} {when} {method} {uri} {proto} {status} {size} {>User-Agent} {latency}" {     	rotate_size 50  # Rotate after 50 MB  	rotate_age  90  # Keep rotated files for 90 days  	rotate_keep 20  # Keep at most 20 log files  	rotate_compress # Compress rotated log files in gzip format      }  

gzip

启用gzip压缩

header

启用HSTS等安全机制

header / {  	Strict-Transport-Security "max-age=31536000;"  	# Enable cross-site filter (XSS) and tell browser to block detected attacks  	X-XSS-Protection "1; mode=block"  	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type  	X-Content-Type-Options "nosniff"  	# Disallow the site to be rendered within a frame (clickjacking protection)  	X-Frame-Options "DENY"  }  

proxy

proxy提供了基本的反向代理和稳健的负载均衡器。支持多个后端和添加自定义标头。负载均衡功能包括多个策略,运行状况检查和故障转移, 还可以代理 WebSocket 连接。

# example 1  proxy /stream localhost:8080 {      transparent  	websocket  }  # example 2  proxy / web1:80 web2:80 web3:80 {  	policy round_robin  	health_check /health      transparent      websocket  }  

其中websocket等同于

header_upstream Connection {>Connection}  header_upstream Upgrade {>Upgrade}  

 其中transparent等同于

header_upstream Host {host}  header_upstream X-Real-IP {remote}  header_upstream X-Forwarded-For {remote}  header_upstream X-Forwarded-Proto {scheme}  

redir

重定向,我很少用,当协议为http为重定向到https

redir 301 {      if {>X-Forwarded-Proto} is http  	/  https://{host}{uri}  }  

rewrite

URL重写。可以参见官方文档

rewrite {  	if {>User-agent} has mobile  	to {path} {path}/ /mobile/index.php  }  

实践

简单参考利用Caddy部署Hugo博客一文,这里具体解析一下Caddyfile

ysicing.me www.ysicing.me {      # 启用压缩      gzip      # 启用监控      prometheus       # 日志      log / /var/log/caddy/ysicing.me.log "{remote} {when} {method} {uri} {proto} {status} {size} {>User-Agent} {latency}" {     	rotate_size 50  	rotate_age  90  	rotate_keep 20  	rotate_compress      }      # 证书      tls root@ysicing.net      header / {      	Strict-Transport-Security "max-age=31536000;includeSubDomains;preload"      	Access-Control-Allow-Origin  *  	    Access-Control-Allow-Methods "GET, POST, OPTIONS"      	X-XSS-Protection "1; mode=block"  	    X-Content-Type-Options "nosniff"          X-Frame-Options "SAMEORIGIN"          # 自定义          X-Custom-Header "us.n1.ysicing.me"  	    -Server      }      # 静态资源缓存      cache {          match_path /assets          status_header X-Cache-Status          default_max_age 60m          path /tmp/caddy-cache      }      # 访问权限      basicauth love 12345678 {          realm "傻狗自言自语"          /posts/love/      }      # 错误页      errors {          * /tmp/404.html      }      # hugo部分 start      root /tmp/blog/public      git {          repo git@repo.spanda.io:ysicing.me/website.git          path /tmp/blog          branch master          key      /root/.ssh/id_rsa          then hugo --destination=/tmp/blog/public          hook /webhook GithubSK          hook_type gogs          clone_args --recursive          pull_args --recurse-submodules          interval 86400      }      hugo      # hugo部分 end      # 重定向      redir 301 {          if {host} starts_with www          /   https://ysicing.me{uri}      }  }  

Shared via Inoreader