Debian / Ubuntu 安装 Caddy
安装 Caddy
确保80、443端口没有被占用
安装必要软件包
apt update
apt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates加入 Caddy 的 GPG 公钥和 apt 源
curl -sSL https://dl.cloudsmith.io/public/caddy/stable/gpg.key | gpg --dearmor > /usr/share/keyrings/caddy.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/caddy.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" > /etc/apt/sources.list.d/caddy.list更新系统后,安装 Caddy
apt update
apt install caddy配置 Caddy
默认的 Caddyfile 文件位于 /etc/caddy/Caddyfile
简单例子
我们需要绑定域名 example.com
这个域名的文件位于 /var/www/example.com,默认首页文件名为 index.html
我们需要开启 SSL 访问,并且访问 http 跳转到 https
我们需要设置开启 TLS 1.2 和 TLS 1.3,并开启 HSTS Preload
首先,设置 http://example.com/ 跳转到 https://example.com/
注意:默认情况如果下面的 example.com:80 和 example.com:443 没有配置其他的端口,Caddy 会自动使用 443 端口,并自动开启 http://example.com/ 跳转到 https://example.com/,这里的示范是为了给有些奇怪的需求比如一些特定的端口访问 HTTP 和 HTTPS,则需要手动配置。
example.com:80 {
redir https://{host}{uri} permanent
}然后我们按照 Mozilla 的推荐配置写入 Caddyfile:
example.com:443 {
tls {
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
}
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection "1; mode=block"
}
root * /var/www/example.com
file_server {
index index.html
}
encode gzip zstd
}当然也可以设置 www.example.com 跳转 example.com:
www.example.com:80 {
redir https://example.com{uri} permanent
}www.example.com:443 {
redir https://example.com{uri} permanent
}然后把以上所有内容合并成一个 Caddyfile 文件,放到 /etc/caddy/Caddyfile,然后检查 Caddy 配置:
caddy validate --config /etc/caddy/Caddyfile输出如下内容则表示配置正确:
root@debian ~ # caddy validate --config /etc/caddy/Caddyfile
2022/12/26 17:31:22.347 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2022/12/26 17:31:22.349 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2022/12/26 17:31:22.349 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/12/26 17:31:22.349 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00018ad90"}
2022/12/26 17:31:22.350 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc00018ad90"}
Valid configuration有强迫症的也可以把你的 Caddyfile 文件美化一下:
caddy fmt /etc/caddy/Caddyfile --overwrite最后重启 Caddy
systemctl restart caddy耐心等待自动签发 SSL 证书,然后我们就可以打开浏览器控制台查看 https://example.com/ 即可看到 SSL 证书已经自动部署.
卸载 Caddy
停止 Caddy 服务
sudo systemctl stop caddy卸载 Caddy 软件包
sudo apt purge caddy如果你想删除 Caddy 配置文件和数据,可以执行以下命令:
sudo rm -rf /etc/caddy /var/lib/caddy /var/log/caddy批量卸载命令以上命令合并:
systemctl stop caddy
apt purge caddy
rm -rf /etc/caddy /var/lib/caddy /var/log/caddy更多的配置可以参考官方文档或《Caddyfile 语法浅析》