Merge pull request #535 from acaslab/master

Add Caddy webserver configuration and tutorial on Caddy with Cloudflare DNS in proxy mode
2025-12-10 09:17:40 -06:00 · 2024-01-18 10:10:51 -05:00 · 2024-01-18 10:10:51 -05:00 · fad96abc27
commit fad96abc27
parent 29d1fe22a4 10bf4f1416
4 changed files with 245 additions and 9 deletions
--- a/.snippets/webservers/Caddyfile
+++ b/.snippets/webservers/Caddyfile
@ -0,0 +1,48 @@
+{
+    servers :443 {
+        timeouts {
+            read_body 120s
+        }
+    }
+}
+
+<domain> {
+    root * /var/www/pterodactyl/public
+
+    file_server
+
+    php_fastcgi unix//run/php/php8.1-fpm.sock {
+        root /var/www/pterodactyl/public
+        index index.php
+
+        env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
+        env HTTP_PROXY ""
+        env HTTPS "on"
+
+        read_timeout 300s
+        dial_timeout 300s
+        write_timeout 300s
+    }
+
+    header Strict-Transport-Security "max-age=16768000; preload;"
+    header X-Content-Type-Options "nosniff"
+    header X-XSS-Protection "1; mode=block;"
+    header X-Robots-Tag "none"
+    header Content-Security-Policy "frame-ancestors 'self'"
+    header X-Frame-Options "DENY"
+    header Referrer-Policy "same-origin"
+
+    request_body {
+        max_size 100m
+    }
+
+    respond /.ht* 403
+
+    log {
+        output file /var/log/caddy/pterodactyl.log {
+            roll_size 100MiB
+            roll_keep_for 7d
+        }
+        level INFO
+    }
+}
--- a/.snippets/webservers/Caddyfile-nossl
+++ b/.snippets/webservers/Caddyfile-nossl
@ -0,0 +1,48 @@
+{
+    servers :80 {
+        timeouts {
+            read_body 120s
+        }
+    }
+}
+
+<domain>:80 {
+    root * /var/www/pterodactyl/public
+
+    file_server
+
+    php_fastcgi unix//run/php/php8.1-fpm.sock {
+        root /var/www/pterodactyl/public
+        index index.php
+
+        env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
+        env HTTP_PROXY ""
+        # env HTTPS "on" # IMPORTANT: this is commented out, to disable HTTPS
+
+        read_timeout 300s
+        dial_timeout 300s
+        write_timeout 300s
+    }
+
+    header Strict-Transport-Security "max-age=16768000; preload;"
+    header X-Content-Type-Options "nosniff"
+    header X-XSS-Protection "1; mode=block;"
+    header X-Robots-Tag "none"
+    header Content-Security-Policy "frame-ancestors 'self'"
+    header X-Frame-Options "DENY"
+    header Referrer-Policy "same-origin"
+
+    request_body {
+        max_size 100m
+    }
+
+    respond /.ht* 403
+
+    log {
+        output file /var/log/caddy/pterodactyl.log {
+            roll_size 100MiB
+            roll_keep_for 7d
+        }
+        level INFO
+    }
+}
--- a/panel/1.0/webserver_configuration.md
+++ b/panel/1.0/webserver_configuration.md
@ -4,8 +4,12 @@
 When using the SSL configuration you MUST create SSL certificates, otherwise your webserver will fail to start. See the [Creating SSL Certificates](/tutorials/creating_ssl_certificates.html) documentation page to learn how to create these certificates before continuing.
 :::

-:::: tabs
-::: tab "Nginx With SSL"
+::: tip
+If you are using [Caddy With Automatic SSL](#caddy-with-automatic-ssl), you do not have to create SSL certificates manually, Caddy will take care of it automatically.
+:::
+
+::::: tabs
+:::: tab "Nginx With SSL"
 First, remove the default NGINX configuration.

 ``` bash
@ -29,8 +33,8 @@ sudo ln -s /etc/nginx/sites-available/pterodactyl.conf /etc/nginx/sites-enabled/
 sudo systemctl restart nginx
 ```

-:::
-::: tab "Nginx Without SSL"
+::::
+:::: tab "Nginx Without SSL"
 First, remove the default NGINX configuration.

 ``` bash
@ -54,8 +58,8 @@ sudo ln -s /etc/nginx/sites-available/pterodactyl.conf /etc/nginx/sites-enabled/
 sudo systemctl restart nginx
 ```

-:::
-::: tab "Apache With SSL"
+::::
+:::: tab "Apache With SSL"
 First, remove the default Apache configuration.

 ``` bash
@ -82,8 +86,8 @@ sudo a2enmod ssl
 sudo systemctl restart apache2
 ```

-:::
-::: tab "Apache Without SSL"
+::::
+:::: tab "Apache Without SSL"
 First, remove the default Apache configuration.

 ``` bash
@ -109,7 +113,61 @@ sudo a2enmod rewrite
 sudo systemctl restart apache2
 ```

-:::
 ::::
+:::: tab "Caddy With Automatic SSL"
+Before adding our custom configuration, let's remove the default one. You can do it either by deleting the contents of config file or by deleting the config file completely and than creating a new one from scratch. The config file path is `/etc/caddy/Caddyfile`.
+
+To delete the config file completely, run the following command:
+
+```shell
+rm /etc/caddy/Caddyfile
+```
+
+Then continue with an editor of your choice to write the config.
+
+You should paste the contents of the file below, replacing `<domain>` with your domain name.
+
+<<< @/.snippets/webservers/Caddyfile{9}
+
+::: tip
+If you are using Cloudflare DNS in proxy mode, refer to [this tutorial](/tutorials/creating_ssl_certificates.html#method-3:-caddy-(using-cloudflare-api)), to see how to configure Caddy to use DNS challenge for obtaining SSL certificates.
+:::
+
+### Enabling Configuration
+
+The final step is to restart Caddy.
+
+```bash
+systemctl restart caddy
+```
+
+::::
+:::: tab "Caddy Without SSL"
+Before adding our custom configuration, let's remove the default one. You can do it either by deleting the contents of config file or by deleting the config file completely and than creating a new one from scratch. The config file path is `/etc/caddy/Caddyfile`.
+
+To delete the config file completely, run the following command:
+
+```shell
+rm /etc/caddy/Caddyfile
+```
+
+Then continue with an editor of your choice to write the config.
+
+You should paste the contents of the file below, replacing `<domain>` with your domain name.
+
+The only two differences are that we have suffixed the `<domain>` with `:80` and in the global config at `servers` directive, we have changed the port from `:443` to `:80`.
+
+<<< @/.snippets/webservers/Caddyfile-nossl{9}
+
+### Enabling Configuration
+
+The final step is to restart Caddy.
+
+```bash
+systemctl restart caddy
+```
+
+::::
+:::::

 #### Next Step: [Wings Installation](../../wings/installing.md)
--- a/tutorials/creating_ssl_certificates.md
+++ b/tutorials/creating_ssl_certificates.md
@ -140,5 +140,87 @@ After running the script for the first time, it will be added to the crontab aut
 sudo crontab -e
 ```

+:::
+::: tab "Method 3: Caddy (using Cloudflare API)"
+This is for advanced users, who are running Cloudflare in proxy mode or do not have access to port `80`.
+
+### Installing Caddy with Cloudflare DNS plugin
+
+Caddy does not come by default with Cloudflare DNS plugin, you need to install it yourself.
+
+There are two main methods:
+
+1. Using `xcaddy` - CLI tool to build your own Caddy build
+2. Downloading prebuilt binary from [Caddy's download page](https://caddyserver.com/download).
+3. Using Ansible to download and install Caddy with plugins. See [caddy-ansible](https://github.com/caddy-ansible/caddy-ansible)
+
+#### Build Caddy using `xcaddy` on your server
+
+Please refer to [Caddy docs on building Caddy](https://caddyserver.com/docs/build#xcaddy).
+
+### Obtaining CloudFlare API Token
+
+After installing acme.sh, we need to fetch a CloudFlare API key. Please make sure that a DNS record (A or CNAME record) is pointing to your target node, and set the cloud to grey (bypassing CloudFlare proxy). Then go to My Profile > API keys and on Global API Key subtab, click on "view", enter your CloudFlare password, and copy the API key to clipboard.
+
+After install Caddy with Cloudflare DNS plugin, we need to fetch a Cloudflare API token. Please make sure that a DNS record (A or CNAME record) is pointing at your target node. Then go to My Profile > API Tokens and on API Tokens click "Create Token". Create API Token > API token templates, at the end of line with "Edit zone DNS", click "Use template". Under **Zone Resources**, select your DNS zone for which you wish to create the API token, click "Continue to summary". Review the API token summary and click "Create Token". And finally copy the API token to clipboard.
+
+### Reconfiguring Caddy to use Cloudflare DNS for obtaining certificates
+
+Create an environment variable file (like `.env`), keep in mind that this file contains secrets and should not be accessed by public.
+
+We recommend that you create the secret file in the following location: `/etc/caddy/.secrets.env`.
+
+```bash
+CLOUDFLARE_API_TOKEN=<your cloudflare api token>
+```
+
+For security reasons, we recommend setting permissions to `0600` (only owner can read or write to the file).
+
+```bash
+# Set ownership of the `.secrets.env` file to `caddy` system user
+chown caddy:caddy /etc/caddy/.secrets.env
+
+# Set read-write permissions only to owner - the `caddy` system user
+chmod 0600 /etc/caddy/.secrets.env
+```
+
+Modify the systemd unit file, to load environment variables from file (add `--envfile /etc/caddy/.secrets.env` flag to `ExecStart`), the default systemd unit file location is `/etc/systemd/system/caddy.service`:
+
+```unit{12}
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --environ --envfile /etc/caddy/.secrets.env --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+```
+
+You can add a `tls` block to your `Caddyfile`, under the `<domain>` block of your panel configuration, the Caddy config file location is `/etc/caddy/Caddyfile`:
+
+```caddyfile{5-7}
+<domain> {
+  # ...
+
+  tls {
+    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+  }
+}
+```
+
 :::
 ::::