Debian / Ubuntu 安装 Caddy
一、安装 Caddy
确保80、443端口没有被占用
1、安装方法一
安装必要软件包
apt update
apt dist-upgrade -yapt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates加入 Caddy 的 GPG 公钥和 apt 源
curl -sSL https://dl.cloudsmith.io/public/caddy/stable/gpg.key | gpg --dearmor > /usr/share/keyrings/caddy.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/caddy.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" > /etc/apt/sources.list.d/caddy.list更新系统后,安装 Caddy
apt update
apt install caddy2、安装方法二
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list > /dev/null && \
sudo apt update && \
sudo apt install -y caddy && \
caddy version
二、启动 Caddy 并设置开机自启动
systemctl start caddy
systemctl enable caddy三、配置 Caddy
默认的 Caddyfile 文件位于 /etc/caddy/Caddyfile
简单例子
我们需要绑定域名 example.com
这个域名的文件位于 /var/www/example.com,默认首页文件名为 index.html
我们需要开启 SSL 访问,并且访问 http 跳转到 https
我们需要设置开启 TLS 1.2 和 TLS 1.3,并开启 HSTS Preload
首先,设置 http://example.com/ 跳转到 https://example.com/
注意:默认情况如果下面的 example.com:80 和 example.com:443 没有配置其他的端口,Caddy 会自动使用 443 端口,并自动开启 http://example.com/ 跳转到 https://example.com/,这里的示范是为了给有些奇怪的需求比如一些特定的端口访问 HTTP 和 HTTPS,则需要手动配置。
example.com:80 {
redir https://{host}{uri} permanent
}然后我们按照 Mozilla 的推荐配置写入 Caddyfile:
example.com:443 {
tls {
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
}
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection "1; mode=block"
}
root * /var/www/example.com
file_server {
index index.html
}
encode gzip zstd
}当然也可以设置 www.example.com 跳转 example.com:
www.example.com:80 {
redir https://example.com{uri} permanent
}www.example.com:443 {
redir https://example.com{uri} permanent
}然后把以上所有内容合并成一个 Caddyfile 文件,放到 /etc/caddy/Caddyfile,然后检查 Caddy 配置:
caddy validate --config /etc/caddy/Caddyfile输出如下内容则表示配置正确:
root@debian ~ # caddy validate --config /etc/caddy/Caddyfile
2022/12/26 17:31:22.347 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2022/12/26 17:31:22.349 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2022/12/26 17:31:22.349 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/12/26 17:31:22.349 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00018ad90"}
2022/12/26 17:31:22.350 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc00018ad90"}
Valid configuration有强迫症的也可以把你的 Caddyfile 文件美化一下:
caddy fmt /etc/caddy/Caddyfile --overwrite最后重启 Caddy
systemctl restart caddy耐心等待自动签发 SSL 证书,然后我们就可以打开浏览器控制台查看 https://example.com/ 即可看到 SSL 证书已经自动部署.
反向代理例子
domain.com {
encode {
zstd
gzip 3
minimum_length 1000 # 最小压缩大小
}
reverse_proxy 127.0.0.1:80 {
transport http {
dial_timeout 2s
keepalive 30s
keepalive_idle_conns 100
max_conns_per_host 200
}
# 透传真实客户端 IP
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
# header_up X-Forwarded-Proto {http.request.scheme}
# 透传真实客户端 IP(适用于 Cloudflare)
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Proto {scheme}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # 强制 HTTPS
X-XSS-Protection "0" # 禁用浏览器 XSS 过滤器
X-Frame-Options "DENY" # 禁止 iframe 嵌套
X-Content-Type-Options "nosniff" # 禁止 MIME 类型猜测
Referrer-Policy "strict-origin-when-cross-origin" # 限制 Referer 泄露
Permissions-Policy "geolocation=(), microphone=(), camera=()" # 禁止隐私权限
# X-Robots-Tag "noindex, nofollow" # 阻止搜索引擎建立索引(可选)
-Server # 移除 Server 响应头
-X-Powered-By # 移除 X-Powered-By
-Last-Modified # 移除 Last-Modified
-Via # 移除 Via
defer # 延迟头部发送(可提升性能)
}
# 屏蔽恶意 IP 段
@blockedips remote_ip \
66.132.159.0/24 \
162.142.125.0/24 \
167.94.138.0/24 \
167.94.145.0/24 \
167.94.146.0/24 \
167.248.133.0/24 \
199.45.154.0/24 \
199.45.155.0/24 \
206.168.34.0/24 \
206.168.35.0/24 \
2602:80d:1000:b0cc:e::/80 \
2620:96:e000:b0cc:e::/80 \
2602:80d:1003::/112 \
2602:80d:1004::/12
handle @blockedips {
respond "Your IP has been blocked." 403 {
close
}
}
# 屏蔽恶意爬虫 UA
@badbots {
header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
}
handle @badbots {
respond "Access for bad crawlers denied" 403 {
close
}
}
# 静态资源缓存(7 天)
@images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico|bmp|avif|icon)$
header @images {
Cache-Control "public, max-age=2592000, immutable"
}
@static path_regexp \.(css|js|mjs|map|woff2?|ttf|otf|eot|wasm)$
header @static {
Cache-Control "public, max-age=2592000, immutable"
}
# 日志配置
log {
level INFO
output file /var/log/caddy/caddy-web.log {
roll_size 10MB
roll_keep 10
}
}
}
四、重载、重启
systemctl daemon-reload
systemctl reload caddy
systemctl restart caddy五、卸载 Caddy
停止 Caddy 服务
sudo systemctl stop caddy卸载 Caddy 软件包
sudo apt purge caddy如果你想删除 Caddy 配置文件和数据,可以执行以下命令:
sudo rm -rf /etc/caddy /var/lib/caddy /var/log/caddy批量卸载命令以上命令合并:
systemctl stop caddy
apt purge caddy
rm -rf /etc/caddy /var/lib/caddy /var/log/caddy更多的配置可以参考官方文档或《Caddyfile 语法浅析》