Skip to content

Docker image with Caddy server and Cloudflare plugin installed

License

Notifications You must be signed in to change notification settings

homeall/caddy-reverse-proxy-cloudflare

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cloudflared pull pull contributions welcome

Caddy reverse proxy with cloudflare plugin

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. License
  5. Contact
  6. Acknowledgements

About The Project

This docker image is based on work from @lucaslorentz which I included the plugin Cloudflare.

This is only difference between this one and his image.

📔 If you need more details about how to use this image I will advise you to go to his GitHub and review the documentation.

It is useful if you are planning to use the reverse proxy from ™️ Caddy together with Let's Encrypt and Cloudflare DNS as a challenge.

The main purpose of creating this image is to have DNS challenge for wildcard domains.

I am using GitHub Actions where it will update weekly docker image and both plugins.

It also can keep the IP address up to date thanks to Caddy DynamicDNS.

⁉️ Note: you will need the scoped API token for this setup. Please analyze this link.

Getting Started

🔰 It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.

Prerequisites

Made with Docker !

You will need to have:

Usage

Docker Compose

⚠️ You will have to use labels in docker-compose deployment. Please review below what it means each label. ⬇️

You will tell ™️ Caddy where it has to route traffic in docker network, as ™️ Caddy is ingress on this case.

⬇️ A simple docker-compose.yml:

version: "3.3"

services:
  caddy:
    container_name: caddy
    image: homeall/caddy-reverse-proxy-cloudflare:latest
    restart: unless-stopped
    environment:
      TZ: 'Europe/London'
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"      # needs socket to read events
      - "./caddy-data:/data"                             # needs volume to back up certificates
    ports:
      - "80:80"
      - "443:443"
    labels:                                              # Global options
      caddy.email: email@example.com                     # needs for acme CERT registration account
      caddy.acme_dns: "cloudflare $API_TOKEN"            # When set here, you don't need to set it for each service individually

  whoami0:
    container_name: whoiam
    image: jwilder/whoami:latest
    hostname: TheDocker #----->>Expected result using curl
    restart: unless-stopped
    labels:
      caddy: your.example.com                            # needs for caddy to redirect traffic
      # caddy.servers.protocols: "experimental_http3"    # For HTTP/3
      # caddy.tls.ca: "https://acme.zerossl.com/v2/DV90" # Only if you will prefer ZeroSSL. Default it is Let's Encrypt.
      caddy.reverse_proxy: "{{upstreams 8000}}"          # needs to tell caddy which port number should send traffic
      caddy.tls.protocols: "tls1.3"                      # This is optional. Default it is tls1.2
      caddy.tls.ca: "https://acme-staging-v02.api.letsencrypt.org/directory" # Needs only for testing purpose. Remove this line after you finished your tests.
      caddy.tls.dns: "cloudflare $API-TOKEN"             # (Optional when using global setting) You will have to replace here $API-TOKEN with your real scoped API token from Cloudflare.

Please get your scoped API-Token from here.

⬆️ Go on TOP ☝️

Testing

⬇️ Your can run the following command to see that is working:

$  curl --insecure -vvI https://test.ionut.vip 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
*  subject: CN=test.ionut.vip ################################ CA from Let's Enctrypt Staging 
*  start date: Jan  5 15:15:00 2021 GMT
*  expire date: Apr  5 15:15:00 2021 GMT
*  issuer: CN=Fake LE Intermediate X1 ######################## This is telling you that acme is working as expected!
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc02180ec00)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
$  curl -k https://test.ionut.vip
I'm TheDocker################################### Expected result from hostname above

♥️ On the status column of the docker, you will notice the healthy word. This is telling you that docker is running healtcheck itself in order to make sure it is working properly.

⬇️ Please test yourself using the following command:

❯ docker inspect --format "{{json .State.Health }}" caddy | jq
{
  "Status": "healthy",
  "FailingStreak": 0,
  "Log": [
    {
      "Start": "2021-01-04T11:10:49.2975799Z",
      "End": "2021-01-04T11:10:49.3836437Z",
      "ExitCode": 0,
      "Output": ""
    }
  ]
}

License

🗞️ Distributed under the MIT license. See LICENSE for more information.

Contact

🔴 Please free to open a ticket on Github.

Acknowledgements

⬆️ Go on TOP ☝️