###Introduction
Caddy is an emerging web server program with native support for HTTP/2 and automatic HTTPS. With ease of use and security in mind, Caddy can be used to rapidly deploy an HTTPS-enabled site with a single config file.
Prerequisites
- A fresh Rcs CentOS 7 x64 server instance. We will use
203.0.113.1
as an example. - A sudo user.
- The server instance has been updated to the latest stable status using the EPEL YUM repo.
- A domain
example.com
has been configured to point to the203.0.113.1
server instance. See details in another Rcs tutorial.
Step 1: Install the Latest Stable Release of Caddy
On a Linux, Mac, or BSD operating system, use the following command to install the latest stable system-specific release of Caddy:
curl https://getcaddy.com | bash
When prompted, input your sudo password to finish the installation.
The Caddy binary will be installed to the /usr/local/bin
directory. Use the following command to confirm:
which caddy
The output shoud be:
/usr/local/bin/caddy
For security purposes, NEVER run the Caddy binary as root. In order to give Caddy the ability to bind to privileged ports (e.g. 80, 443) as a non-root user, you need to run the setcap
command as follows:
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
Step 2: Configure Caddy
Create a dedicated system user: caddy
and a group of the same name for Caddy:
sudo useradd -r -d /var/www -M -s /sbin/nologin caddy
Note: The user caddy
created here can only be used to manage the Caddy service and cannot be used for logging in.
Create the home directory /var/www
for the Caddy web server, and the home directory /var/www/example.com
for your site:
sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www
Create a directory to store SSL certificates:
sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy
Create a dedicated directory to store the Caddy config file Caddyfile
:
sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy
Create the Caddy config file named Caddyfile
:
sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
example.com {
root /var/www/example.com
gzip
tls admin@example.com
}
EOF
Note: The Caddyfile
file created above is only a basic configuration for running a static website. You can learn more about how to write a Caddyfile here.
In order to facilitate the operations of Caddy, you can setup a systemd
unit file for Caddy and then use systemd
to manage Caddy.
Use the vi
editor to create the Caddy systemd
unit file:
sudo vi /etc/systemd/system/caddy.service
Populate the file:
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=caddy
Group=caddy
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Save and quit:
:wq!
Start the Caddy service and make it automatically start on system boot:
sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service
Step 3: Modify firewall rules
In order to allow visitors to access your Caddy site, you need to open ports 80 and 443:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
Step 4: Create a test page for your site
Use the following command to create a file named index.html
in your Caddy site home directory:
echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html
Restart the Caddy service to load new contents:
sudo systemctl restart caddy.service
Finally, point your web browser to http://example.com
or https://example.com
. You should see the message Hello World!
as expected.