Setting up a Caddy Reverse Proxy
I have written a little about using Caddy as a web server. It is a super powerful tool. So far, I have just used it to host static websites on a https://en.wikipedia.org/wiki/Virtual_private_server. Here are some of the basics on setting up caddy, setting up the Caddyfile, and building a reverse proxy that we will ultimately use for connecting to your NAS appliance.
Installing Caddy#
Every guide in the world for setting things up on Debian is full of sudo commands. Every Debian server that I have ever configured doesn’t use sudo. So here is a blob of Debian commands that have had sudo expunged from them:
apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update
apt install caddy
You should totally read the [https://caddyserver.com/docs/](Caddy documentation) and not just paste random commands from some random blog into your terminal. I mean I do it, but I’m stupid and you probably shouldn’t follow my example.
Creating a Caddyfile#
The installer above should create a Caddyfile in /etc/caddy, which you can open with nano.
nano /etc/caddy/Caddyfile
Inside the Caddyfile, you can modify the configuration for your site.
1.2.3.4, 1.2.3.4:443 {
redir https://mydomain.com{uri}
}
www.mydomain.com {
redir https://mydomain.com{uri}
}
mydomain.com {
# Set this path to your site's directory.
root * /var/www/mydomain.com/
# Enable the static file server.
file_server {
hide .git
}
handle_errors {
respond "{err.status_code} {err.status_text}"
}
}
selfhost1.mydomain.com {
reverse_proxy http://192.168.1.2
}
The first entry (1.2.3.4) is what to do when someone hits the IP address of your VPS. In this case, it redirects them to https://mydomain.com
The second entry (www.mydomain.com) is what happens when someone hits www.mydomain.com. In this case, it also redirects them to https://mydomain.com
The third entry is for the actual webpage of your VPS. You don’t have to put much there. You are just testing the webserver. It serves up files from /var/www/mydomain.com (I just put up a picture of a cat.)
This is what makes Caddy so bad ass. If you have [https://en.wikipedia.org/wiki/List_of_DNS_record_types](A records) that point *, www, and mydomain.com to the IP of your VPS, Caddy will request [https://en.wikipedia.org/wiki/Transport_Layer_Security](TLS certificates) for your domain http://catb.org/jargon/html/A/automagically.html.
And finally, the last entry is the what we are here to talk about: reverse proxying. This is the place where you can point your web server to the overlay network address for the app server running on your NAS. If you have an A record for selfhost1.mydomain.com you can create a secure link (via TLS/SSL) to an otherwise insecure application running on your internal network.
While this is more secure than opening a port in your firewall and forwarding it to the IP of this insecure app, it is NOT perfectly secure. Caddy looks to be pretty secure, but it’s not bulletproof. There are some other steps that I recommend besides using Caddy and an overlay network, like setting up a [https://en.wikipedia.org/wiki/DMZ_(computing)](DMZ network) to run your application servers out of.
Once you have your Caddyfile saved, you can restart caddy like so:
systemctl reload caddy
Hopefully that, plus the proper caddy documentation will help you get started. I know I haven’t posted about the overlay network yet. It’s coming!