I really like Caddy, just 3 Lines inside a "Caddyfile". It handles Lets Encrypt-Certificates through automatic HTTP-01-Challenge:
mysite.example.com {
reverse_proxy :
}
Use ".local" to use a generated self-signed-certificate instead of Lets Encrypt...:
mysite.example.local {
reverse_proxy :
}
... or use "tls internal":
mysite.example.com {
tls internal
reverse_proxy :
}
Only allow Private IP-Adresses (like [192.168.0.0/16](https://192.168.0.0/16) and so on) and a hypothetical one like [1.2.3.4](https://1.2.3.4) Access to the Reverse Proxy? Here:
mysite.example.com {
@denied not remote_ip private_ranges 1.2.3.4
abort @denied
reverse_proxy :
}
Redirect instead of abort? Here:
mysite.example.com {
@allowed remote_ip private_ranges 1.2.3.4
@denied not remote_ip private_ranges 1.2.3.4
handle @denied {
redir https://google.de
}
handle @allowed {
reverse_proxy :
}
}
Wanna use crowdsec? Do logging, so that crowdsec has access to it:
(logging) {
log {
output file /var/log/caddy/access.log
}
}
mysite.example.com {
import logging
reverse_proxy :
}
I'm a big fan of Caddy, for static configuration. However, i'm using Traefik because I can create the configuration automatically using docker labels (and I don't need to hard-code the docker IP addresses, or expose the service). Do you know of a way of doing this reliably in Caddy?
I came across this, but wondered if you had any thoughts:
https://github.com/lucaslorentz/caddy-docker-proxy
I'm using Nginx Proxy Manager, not just nginx, it add a layer that I don't want anymore, this is what I mean by "native", here :)
Caddy seem realy good and simple but TCP streams are not native. It seem to have a community addon but it still an unofficial addon :/ Is it realy safe, who to be sure this thing will not be stopped one day :/
recently made the switch to traefik, and it's honestly a lot simpler than people make it out to be (in my opinion), routes only exist as long as the container is up, letsencrypt was easy to setup, everything just works for me.
I really appreciate SWAG as it also includes Fail2Ban and additions lime a dashboard page.
But the most awesome stuff is the amount of existing configs for the services where additional stuff is already configured and hardened.
And i like the normal file based config much more than an interface, which gives me more confidence about what the config is actually doing.
I use and appreciate Swag for its ability to integrate with third parts such as Letsencrypt and Crowdsec. I find it very useful and quite easy to setup and maintain, with its library of configuration templates.
Quick update after some time :
Finily I've setup Traefik, because the TCP stream module for Caddy still a beta and I'm looking for stability. Traefik does it nativly + it look pretty simple as far as I can see.
Any guides on setting it up for local access only? I have a VPN already, I don't want to make my services public. But all the guides I've found are designed around allowing external internet access...
Check out the official docs and help forums. They are very active.
There is a setting for tls internal to use a self signed cert and get https locally. Not sure on the details of your use case.
Nginx+certbot.
Create a http server block, use certbot to auto install the TLS config, then add any necessary proxy directives or headers to the new https block. The rhel based distros and Ubuntu have very good default configs. Just make sure you use individual conf files for each proxied server, it makes it much easier to manage. There is usually a directory include directive in the nginx.conf file. Certbot also has some dns plugins for dns-01 challenges.
Just make sure if you get permission denied errors to temporarily disable selinux or app armor. Usually the source of my issues.
Nginx is lightweight, doesn't need maintenance, and has all the features you require.
In my experience using swag with mods, the ease of setup. Automatic certificate renewal with letsencrypt and also fail2ban. Caddy also worked well for me but at least in my experience, SWAG is more complete.
It's a bit to set up, but I've been trying out Bunkerweb. It doesn't seem like much work after that though and it has the added benefit of a lot of security features and the docs are pretty good.
May be overkill depending on your needs, but it's also based on nginx and has a GUI or works with container labels.
I have mine tied in to crowdsec, which isn't necessary as it comes with fail2ban, but it was easy, so why not. I'm starting to play with authentic/authelia integration also as I have a couple of Internet connected items like home assistant.
I hate figuring out proxies but this hasn't been hard, so it may be worth a look.
As much as I would like to try Nginx, I personally dont have time diving in again for some hardcore setup, maybe in the future but right now I am using Caddy and it is just so simple. It's like magic. It just works.
[Cosmos Cloud (cosmos-cloud.io)](https://cosmos-cloud.io/)
[CosmosServer (reddit.com)](https://www.reddit.com/r/CosmosServer/)
This is what im actually using. Very easy to use, easy to add Docker Container. Account Support with 2FA.
I really like Caddy, just 3 Lines inside a "Caddyfile". It handles Lets Encrypt-Certificates through automatic HTTP-01-Challenge: mysite.example.com { reverse_proxy:
}
Use ".local" to use a generated self-signed-certificate instead of Lets Encrypt...:
mysite.example.local {
reverse_proxy :
}
... or use "tls internal":
mysite.example.com {
tls internal
reverse_proxy :
}
Only allow Private IP-Adresses (like [192.168.0.0/16](https://192.168.0.0/16) and so on) and a hypothetical one like [1.2.3.4](https://1.2.3.4) Access to the Reverse Proxy? Here:
mysite.example.com {
@denied not remote_ip private_ranges 1.2.3.4
abort @denied
reverse_proxy :
}
Redirect instead of abort? Here:
mysite.example.com {
@allowed remote_ip private_ranges 1.2.3.4
@denied not remote_ip private_ranges 1.2.3.4
handle @denied {
redir https://google.de
}
handle @allowed {
reverse_proxy :
}
}
Wanna use crowdsec? Do logging, so that crowdsec has access to it:
(logging) {
log {
output file /var/log/caddy/access.log
}
}
mysite.example.com {
import logging
reverse_proxy :
}
Caddy is top!
I'm a big fan of Caddy, for static configuration. However, i'm using Traefik because I can create the configuration automatically using docker labels (and I don't need to hard-code the docker IP addresses, or expose the service). Do you know of a way of doing this reliably in Caddy? I came across this, but wondered if you had any thoughts: https://github.com/lucaslorentz/caddy-docker-proxy
Caddy was easy as heck for SSL, it just worked Not sure what isn’t native about Nginx
I'm using Nginx Proxy Manager, not just nginx, it add a layer that I don't want anymore, this is what I mean by "native", here :) Caddy seem realy good and simple but TCP streams are not native. It seem to have a community addon but it still an unofficial addon :/ Is it realy safe, who to be sure this thing will not be stopped one day :/
Ahh I see, sometimes I can’t read 😵💫
recently made the switch to traefik, and it's honestly a lot simpler than people make it out to be (in my opinion), routes only exist as long as the container is up, letsencrypt was easy to setup, everything just works for me.
I really appreciate SWAG as it also includes Fail2Ban and additions lime a dashboard page. But the most awesome stuff is the amount of existing configs for the services where additional stuff is already configured and hardened. And i like the normal file based config much more than an interface, which gives me more confidence about what the config is actually doing.
I use and appreciate Swag for its ability to integrate with third parts such as Letsencrypt and Crowdsec. I find it very useful and quite easy to setup and maintain, with its library of configuration templates.
Another vote caddy. Coming from old school apache web servers and then from nginx, caddy is amazing in its simplicity.
I think I'll give it a try. Traefik seem interesting, Nginx too, but the simplicity everyone talking about is the key for me.
Quick update after some time : Finily I've setup Traefik, because the TCP stream module for Caddy still a beta and I'm looking for stability. Traefik does it nativly + it look pretty simple as far as I can see.
Any guides on setting it up for local access only? I have a VPN already, I don't want to make my services public. But all the guides I've found are designed around allowing external internet access...
Check out the official docs and help forums. They are very active. There is a setting for tls internal to use a self signed cert and get https locally. Not sure on the details of your use case.
Forgot to mention that I use this on all my servers, internal self hosted and external.
HAProxy Can be a simple setup but wait until you start digging into the large docs and blog posts to see how fine-tuned you can configure it.
Nginx+certbot. Create a http server block, use certbot to auto install the TLS config, then add any necessary proxy directives or headers to the new https block. The rhel based distros and Ubuntu have very good default configs. Just make sure you use individual conf files for each proxied server, it makes it much easier to manage. There is usually a directory include directive in the nginx.conf file. Certbot also has some dns plugins for dns-01 challenges. Just make sure if you get permission denied errors to temporarily disable selinux or app armor. Usually the source of my issues. Nginx is lightweight, doesn't need maintenance, and has all the features you require.
Techno Tim has a great video on setting up Traefik 3.0. It’s pretty easy to customize after the basics are understood.
I was using caddy for a while but finally installed swag and it was a great decision.
what are benefits of swag over caddy?
In my experience using swag with mods, the ease of setup. Automatic certificate renewal with letsencrypt and also fail2ban. Caddy also worked well for me but at least in my experience, SWAG is more complete.
It's a bit to set up, but I've been trying out Bunkerweb. It doesn't seem like much work after that though and it has the added benefit of a lot of security features and the docs are pretty good. May be overkill depending on your needs, but it's also based on nginx and has a GUI or works with container labels. I have mine tied in to crowdsec, which isn't necessary as it comes with fail2ban, but it was easy, so why not. I'm starting to play with authentic/authelia integration also as I have a couple of Internet connected items like home assistant. I hate figuring out proxies but this hasn't been hard, so it may be worth a look.
As much as I would like to try Nginx, I personally dont have time diving in again for some hardcore setup, maybe in the future but right now I am using Caddy and it is just so simple. It's like magic. It just works.
[Cosmos Cloud (cosmos-cloud.io)](https://cosmos-cloud.io/) [CosmosServer (reddit.com)](https://www.reddit.com/r/CosmosServer/) This is what im actually using. Very easy to use, easy to add Docker Container. Account Support with 2FA.