Skip to content

Commit

Permalink
Merge pull request #535 from acaslab/master
Browse files Browse the repository at this point in the history 
Add Caddy webserver configuration and tutorial on Caddy with Cloudflare DNS in proxy mode
  • Loading branch information
@parkervcp
parkervcp authored Jan 18, 2024
2 parents 29d1fe2 + 10bf4f1 commit fad96ab
Show file tree
Hide file tree
Showing 4 changed files with 244 additions and 8 deletions.
48 changes: 48 additions & 0 deletions .snippets/webservers/Caddyfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
servers :443 {
timeouts {
read_body 120s
}
}
}

<domain> {
root * /var/www/pterodactyl/public

file_server

php_fastcgi unix//run/php/php8.1-fpm.sock {
root /var/www/pterodactyl/public
index index.php

env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
env HTTP_PROXY ""
env HTTPS "on"

read_timeout 300s
dial_timeout 300s
write_timeout 300s
}

header Strict-Transport-Security "max-age=16768000; preload;"
header X-Content-Type-Options "nosniff"
header X-XSS-Protection "1; mode=block;"
header X-Robots-Tag "none"
header Content-Security-Policy "frame-ancestors 'self'"
header X-Frame-Options "DENY"
header Referrer-Policy "same-origin"

request_body {
max_size 100m
}

respond /.ht* 403

log {
output file /var/log/caddy/pterodactyl.log {
roll_size 100MiB
roll_keep_for 7d
}
level INFO
}
}
48 changes: 48 additions & 0 deletions .snippets/webservers/Caddyfile-nossl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
servers :80 {
timeouts {
read_body 120s
}
}
}

<domain>:80 {
root * /var/www/pterodactyl/public

file_server

php_fastcgi unix//run/php/php8.1-fpm.sock {
root /var/www/pterodactyl/public
index index.php

env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
env HTTP_PROXY ""
# env HTTPS "on" # IMPORTANT: this is commented out, to disable HTTPS

read_timeout 300s
dial_timeout 300s
write_timeout 300s
}

header Strict-Transport-Security "max-age=16768000; preload;"
header X-Content-Type-Options "nosniff"
header X-XSS-Protection "1; mode=block;"
header X-Robots-Tag "none"
header Content-Security-Policy "frame-ancestors 'self'"
header X-Frame-Options "DENY"
header Referrer-Policy "same-origin"

request_body {
max_size 100m
}

respond /.ht* 403

log {
output file /var/log/caddy/pterodactyl.log {
roll_size 100MiB
roll_keep_for 7d
}
level INFO
}
}
74 changes: 66 additions & 8 deletions panel/1.0/webserver_configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,12 @@
When using the SSL configuration you MUST create SSL certificates, otherwise your webserver will fail to start. See the [Creating SSL Certificates](/tutorials/creating_ssl_certificates.html) documentation page to learn how to create these certificates before continuing.
:::

:::: tabs
::: tab "Nginx With SSL"
::: tip
If you are using [Caddy With Automatic SSL](#caddy-with-automatic-ssl), you do not have to create SSL certificates manually, Caddy will take care of it automatically.
:::

::::: tabs
:::: tab "Nginx With SSL"
First, remove the default NGINX configuration.

``` bash
Expand All @@ -29,8 +33,8 @@ sudo ln -s /etc/nginx/sites-available/pterodactyl.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx
```

:::
::: tab "Nginx Without SSL"
::::
:::: tab "Nginx Without SSL"
First, remove the default NGINX configuration.

``` bash
Expand All @@ -54,8 +58,8 @@ sudo ln -s /etc/nginx/sites-available/pterodactyl.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx
```

:::
::: tab "Apache With SSL"
::::
:::: tab "Apache With SSL"
First, remove the default Apache configuration.

``` bash
Expand All @@ -82,8 +86,8 @@ sudo a2enmod ssl
sudo systemctl restart apache2
```

:::
::: tab "Apache Without SSL"
::::
:::: tab "Apache Without SSL"
First, remove the default Apache configuration.

``` bash
Expand All @@ -109,7 +113,61 @@ sudo a2enmod rewrite
sudo systemctl restart apache2
```

::::
:::: tab "Caddy With Automatic SSL"
Before adding our custom configuration, let's remove the default one. You can do it either by deleting the contents of config file or by deleting the config file completely and than creating a new one from scratch. The config file path is `/etc/caddy/Caddyfile`.

To delete the config file completely, run the following command:

```shell
rm /etc/caddy/Caddyfile
```

Then continue with an editor of your choice to write the config.

You should paste the contents of the file below, replacing `<domain>` with your domain name.

<<< @/.snippets/webservers/Caddyfile{9}

::: tip
If you are using Cloudflare DNS in proxy mode, refer to [this tutorial](/tutorials/creating_ssl_certificates.html#method-3:-caddy-(using-cloudflare-api)), to see how to configure Caddy to use DNS challenge for obtaining SSL certificates.
:::

### Enabling Configuration

The final step is to restart Caddy.

```bash
systemctl restart caddy
```

::::
:::: tab "Caddy Without SSL"
Before adding our custom configuration, let's remove the default one. You can do it either by deleting the contents of config file or by deleting the config file completely and than creating a new one from scratch. The config file path is `/etc/caddy/Caddyfile`.

To delete the config file completely, run the following command:

```shell
rm /etc/caddy/Caddyfile
```

Then continue with an editor of your choice to write the config.

You should paste the contents of the file below, replacing `<domain>` with your domain name.

The only two differences are that we have suffixed the `<domain>` with `:80` and in the global config at `servers` directive, we have changed the port from `:443` to `:80`.

<<< @/.snippets/webservers/Caddyfile-nossl{9}

### Enabling Configuration

The final step is to restart Caddy.

```bash
systemctl restart caddy
```

::::
:::::

#### Next Step: [Wings Installation](../../wings/installing.md)
82 changes: 82 additions & 0 deletions tutorials/creating_ssl_certificates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,5 +140,87 @@ After running the script for the first time, it will be added to the crontab aut
sudo crontab -e
```

:::
::: tab "Method 3: Caddy (using Cloudflare API)"
This is for advanced users, who are running Cloudflare in proxy mode or do not have access to port `80`.

### Installing Caddy with Cloudflare DNS plugin

Caddy does not come by default with Cloudflare DNS plugin, you need to install it yourself.

There are two main methods:

1. Using `xcaddy` - CLI tool to build your own Caddy build
2. Downloading prebuilt binary from [Caddy's download page](https://caddyserver.com/download).
3. Using Ansible to download and install Caddy with plugins. See [caddy-ansible](https://github.com/caddy-ansible/caddy-ansible)

#### Build Caddy using `xcaddy` on your server

Please refer to [Caddy docs on building Caddy](https://caddyserver.com/docs/build#xcaddy).

### Obtaining CloudFlare API Token

After installing acme.sh, we need to fetch a CloudFlare API key. Please make sure that a DNS record (A or CNAME record) is pointing to your target node, and set the cloud to grey (bypassing CloudFlare proxy). Then go to My Profile > API keys and on Global API Key subtab, click on "view", enter your CloudFlare password, and copy the API key to clipboard.

After install Caddy with Cloudflare DNS plugin, we need to fetch a Cloudflare API token. Please make sure that a DNS record (A or CNAME record) is pointing at your target node. Then go to My Profile > API Tokens and on API Tokens click "Create Token". Create API Token > API token templates, at the end of line with "Edit zone DNS", click "Use template". Under **Zone Resources**, select your DNS zone for which you wish to create the API token, click "Continue to summary". Review the API token summary and click "Create Token". And finally copy the API token to clipboard.

### Reconfiguring Caddy to use Cloudflare DNS for obtaining certificates

Create an environment variable file (like `.env`), keep in mind that this file contains secrets and should not be accessed by public.

We recommend that you create the secret file in the following location: `/etc/caddy/.secrets.env`.

```bash
CLOUDFLARE_API_TOKEN=<your cloudflare api token>
```

For security reasons, we recommend setting permissions to `0600` (only owner can read or write to the file).

```bash
# Set ownership of the `.secrets.env` file to `caddy` system user
chown caddy:caddy /etc/caddy/.secrets.env

# Set read-write permissions only to owner - the `caddy` system user
chmod 0600 /etc/caddy/.secrets.env
```

Modify the systemd unit file, to load environment variables from file (add `--envfile /etc/caddy/.secrets.env` flag to `ExecStart`), the default systemd unit file location is `/etc/systemd/system/caddy.service`:

```unit{12}
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --envfile /etc/caddy/.secrets.env --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
```

You can add a `tls` block to your `Caddyfile`, under the `<domain>` block of your panel configuration, the Caddy config file location is `/etc/caddy/Caddyfile`:

```caddyfile{5-7}
<domain> {
# ...
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
}
```

:::
::::

0 comments on commit fad96ab

Please sign in to comment.