caddy is a lightweight web server that can host websites. secure websites, that are using ssl certificates from let’s encrypt. this can either be on the local server, or can be used to reverse proxy other server hosts.

the install for this is very simple, i installed it using the package manager.

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl

curl -1sLf ‘https://dl.cloudsmith.io/public/caddy/stable/gpg.key’ | sudo gpg –dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg

curl -1sLf ‘https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt’ | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg

sudo chmod o+r /etc/apt/sources.list.d/caddy-stable.list

sudo apt update

sudo apt install caddy

this is the install method for debian, you can choose a different distro depending on the operating system. this is found on their docs/install page.

once this is installed, the file is inside /etc/caddy/Caddyfile.

dns records will need to be created, either on a public dns server like your domain registrar dns settings if you have a domain, or if you have a local dns server like pi-hole or adguard, etc. for my purposes, i have adguard, so that is what i am using. if you have a domain registered, you can also use that. either point it to your cloud server instance running caddy, or point it to the local server’s ip address. regardless, whatever dns record, whether it be your root domain or on a subdomain, it should point to the caddy server ip address. ensure ports 80 and 443 are exposed on the server, if not already. and you can also control this with ufw as well.

by navigating to the ip address of caddy, it will open the default caddy web page. this page gives great instructions as well.

if you want to do dns-01 challenges to your domain registrar, you can. the install process is fairly simple as you need to install your specific module. this is found at “https://caddyserver.com/download“, and you have to filter out the platform and find your module. for my case i deployed caddy on an rpi, so i checked linux arm64 and navigated to cloudflare. click on the box and it will be highlighted. scroll up and right click on the download button and copy the link.

from there run this command:
sudo curl -o /usr/bin/caddy “paste-link-above”
sudo chmod 755 /usr/bin/caddy

now that the dns module is installed, you can add the tls section to the caddy file. this is needed if you want to use a wildcard certificate.

before we configure this, we need a domain api key. this varies for the registrar, but look at their documentation. for cloudflare, login to the dashboard. navigate to your profile, then to api tokens. press create token, and go to the bottom for a custom token. name the token caddy, choose the permissions as “zone” “zone” and “zone” “dns”. resources will be set to all zones. create the token and then save this in a secure spot. never share this api key with anyone.

now back to the caddy server, this is a base config to use:
caddy.domain.com {
root * /var/www/html
file_server
}

this will be a basic configuration. the ssl cert will be generated specifically for that domain. now if you’re wanting to create a wildcard certificate, so that whatever is pointed to the caddy server is using a wildcard cert, that is possible. just change the subdomain with a “*” and add in the api token like this:
caddy.domain.com {
root * /var/www/html
file_server
tls {
dns cloudflare api-token-here
}
}

assuming that there is a static file inside of the /var/www/html directory. if not you can create it with:
sudo mkdir /var/www/html
sudo chown -R caddy:caddy /var/www/html

this ensures that the caddy user and group has access to the files. along with, each time the caddy file is updated, restart the caddy service.

sudo systemctl restart caddy

you can also view the logs with systemctl status as well, to debug.

overall this is a great service, and if implemented correctly, it will significantly boost your web servers. well not really, it is just so that you don’t have to keep typing in the ip address and ports of the web services.

the ssl certificates is a great addition, and is a good replacement for nginx proxy manager. though, i may keep caddy on the rpi for testing and a second web server to mess around with. my main reverse proxy will remain as nginx proxy manager as it has all my services proxied through there, and i kinda don’t want to re make all 40 some web services with the authentik auth portal.

if you are a fancy person and bought an ssl certificate, whether it be a wildcard or not, you can also use that. the configuration is similar to the one above, it is literally just the “tls” directive and the files of the cert and private key.

caddy.domain.com {
tls cert.pem key.pem
}

otherwise, some services do come with their own self signed certificate, and caddy can ignore this ssl cert as we know it is “valid”.

caddy.domain.com {
reverse_proxy 172.16.x.x:9000 {
transport_http {
tls
tls_insecure_skip_verify
}
}
}