homeall/caddy-reverse-proxy-cloudflare

By homeall

Updated 1 day ago

Caddy server with cloudflare plugin installed

Image
Web Servers

10K+

cloudflaredLicense: MITpullpullcontributions welcome

Caddy reverse proxy with cloudflare plugin

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. License
  5. Contact
  6. Acknowledgements

About The Project

You can check the repo on GitHub.

This docker image is based on work from @lucaslorentz which I included the plugin Cloudflare.

This is the only difference between this one and his image.

If you need more details about how to use this image I will advise you to go to his GitHub and review the documentation.

It is useful if you are planning to use the reverse proxy from :tm: Caddy together with Let's Encrypt and Cloudflare DNS as a challenge.

The main purpose of creating this image is to have a DNS challenge for wildcard domains.

I am using GitHub Actions where it will update weekly the docker image and both plugins.

It also can keep the IP address up to date thanks to Caddy DynamicDNS.

Note: you will need the scoped API token for this setup. Please analyze this link.

Getting Started

It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.

Prerequisites

You will need to have:

Usage

It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.

Docker Compose

You will have to use labels in docker-compose deployment. Please review below what it means for each label.

You will tell Caddy where it has to route traffic in docker network, as Caddy is ingress on this case.

A simple docker-compose.yml:

version: "3.3"

services:
  caddy:
    container_name: caddy
    image: homeall/caddy-reverse-proxy-cloudflare:latest
    restart: unless-stopped
    environment:
      TZ: 'Europe/London'
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock" #### needs socket to read events
      - "./caddy-data:/data" #### needs volume to back up certificates
    ports:
      - "80:80"
      - "443:443"
    labels: # Global options
      caddy.email: email@example.com #### needs for acme CERT registration account

  whoami0:
    container_name: whoiam
    image: jwilder/whoami:latest
    hostname: YourBigBoss ############################----->>Expected result using curl
    restart: unless-stopped
    labels:
      caddy: your.example.com #### needs for caddy to redirect traffic
      caddy.reverse_proxy: "{{upstreams 8000}}" #### needs to tell caddy which port number should send traffic
      caddy.tls.protocols: "tls1.3" #### This is optional. Default it is tls1.2
      caddy.tls.ca: "https://acme-staging-v02.api.letsencrypt.org/directory" # Needs only for testing purpose. Remove this line after you finished your tests.
      caddy.tls.dns: "cloudflare $API-TOKEN" #### You will have to replace here $API-TOKEN with your real scoped API token from Cloudflare.
Testing

Your can run the following command to see that is working:

$  curl --insecure -vvI https://test.ionut.vip 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
*  subject: CN=test.ionut.vip ################################ CA from Let's Enctrypt Staging 
*  start date: Jan  5 15:15:00 2021 GMT
*  expire date: Apr  5 15:15:00 2021 GMT
*  issuer: CN=Fake LE Intermediate X1 ######################## This is telling you that acme is working as expected!
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc02180ec00)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
$  curl -k https://test.ionut.vip
I'm TheDocker################################### Expected result from hostname above

On the status column of the docker, you will notice the healthy word. This is telling you that docker is running healtcheck itself in order to make sure it is working properly.

Please test yourself using the following command:

❯ docker inspect --format "{{json .State.Health }}" caddy | jq
{
  "Status": "healthy",
  "FailingStreak": 0,
  "Log": [
    {
      "Start": "2021-01-04T11:10:49.2975799Z",
      "End": "2021-01-04T11:10:49.3836437Z",
      "ExitCode": 0,
      "Output": ""
    }
  ]
}

License

Distributed under the MIT license. See LICENSE for more information.

Contact

Please free to open a ticket on Github.

Acknowledgements

Docker Pull Command

docker pull homeall/caddy-reverse-proxy-cloudflare