Here is a detailed guide on how to set up and install Caddy as a reverse proxy on Ubuntu and secure it with Let’s Encrypt. Please ensure you have sudo or root privileges when implementing these steps.
Step 1: Update your System
First, update your system packages to the latest versions. You can do this by running the following commands:
sudo apt update
sudo apt upgrade
Step 2: Install Caddy
After updating your system, you can install Caddy. Run this command to install Caddy:
curl -o- https://getcaddy.com | bash -s personal
This command will install the latest version of Caddy. The “personal” argument is a licensing option that specifies you’re using Caddy for personal use.
Step 3: Set Up the Caddyfile
Caddy’s main configuration file is known as a Caddyfile. By default, it is located at /etc/caddy/Caddyfile.
You can use nano or any text editor to edit the Caddyfile. Here’s a basic example of a Caddyfile that sets up a reverse proxy for a website:
sudo nano /etc/caddy/Caddyfile
And insert the following:
yourdomain.com {
reverse_proxy / 127.0.0.1:3000
}
In this example, replace"yourdomain.com" with your actual domain, and “127.0.0.1:3000” with the address and port of the server that Caddy should reverse-proxy requests to.
Step 4: Run Caddy
After setting up the Caddyfile, you can start Caddy:
sudo caddy run
Step 5: Setting up HTTPS with Let’s Encrypt
One of the great things about Caddy is that it can automatically obtain and renew SSL/TLS certificates from Let’s Encrypt for your sites.
In the Caddyfile, you can instruct Caddy to use Let’s Encrypt by specifying an email address to use for certificate management:
yourdomain.com {
tls [email protected]
reverse_proxy / 127.0.0.1:3000
}
Replace “[email protected]” with your actual email address.
By default, Caddy uses the HTTP challenge to validate your control over the domain. However, if your ISP blocks port 80 (required for the HTTP challenge), you can instruct Caddy to use the DNS challenge instead if Caddy supports your DNS provider. The DNS challenge does not need any ports to be open.
Step 6: Enable Caddy at System Startup
To ensure Caddy runs when your system boots, you should enable it as a systemd service. First, create a service file:
sudo nano /etc/systemd/system/caddy.service
Insert the following configuration:
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target
[Service]
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
This will create a new systemd service named caddy.
You can then start the service with this command:
sudo systemctl start caddy
And enable it to start at boot with this command:
sudo systemctl enable caddy
Step 7: Open Necessary Ports
Remember to open ports 80 and 443 in your firewall if they aren’t already open. These ports are needed for HTTP and HTTPS communication, respectively. If you’re using UFW to manage your firewall, you can do this with these commands:
sudo ufw allow 80
sudo ufw allow 443
That’s it! You should now have a working Caddy server that automatically obtains and renews SSL/TLS certificates from Let’s Encrypt.