caddy multiservice with caddy embedded on docker

Author: Tom Softreck

caddy2/.env.example

@@ -0,0 +1,15 @@
+# Domain configuration
+DOMAIN=example.com
+
+# Cloudflare API Token (required for DNS-01 challenge)
+# Create one at: https://dash.cloudflare.com/profile/api-tokens
+# Required permissions: Zone.Zone:Read, Zone.DNS:Edit
+CF_API_TOKEN=your_cloudflare_api_token_here
+
+# Subdomains for services
+API_SUBDOMAIN=api
+WEB_SUBDOMAIN=app
+AUTH_SUBDOMAIN=auth
+
+# Email for Let's Encrypt notifications (optional but recommended)
+# [email protected]

caddy2/.gitignore

@@ -0,0 +1,23 @@
+# Environment variables
+.env
+venv
+# Caddy data and config
+/data
+/config
+
+# Docker
+Dockerfile
+.dockerignore
+
+# IDE
+.vscode/
+.idea/
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db

caddy2/Makefile

@@ -0,0 +1,61 @@
+.PHONY: help up down restart logs status clean test test-setup
+
+# Default target when just 'make' is run
+help:
+	@echo "Available targets:"
+	@echo "  make up      - Start all services in detached mode"
+	@echo "  make down    - Stop and remove all containers"
+	@echo "  make restart - Restart all services"
+	@echo "  make logs    - View logs from all services"
+	@echo "  make status  - Show status of all containers"
+	@echo "  make clean   - Remove all containers, networks, and volumes"
+	@echo "  make test    - Run Ansible tests against the services"
+	@echo "  test-setup   - Set up the test environment"
+
+# Start all services in detached mode
+up:
+	@if [ ! -f .env ]; then \
+		echo "Creating .env file from .env.example"; \
+		cp .env.example .env; \
+		echo "Please edit .env with your configuration"; \
+		exit 1; \
+	fi
+	docker-compose up -d
+
+# Stop and remove all containers
+down:
+	docker-compose down
+
+# Restart all services
+restart: down up
+
+# View logs from all services
+logs:
+	docker-compose logs -f
+
+# Show status of all containers
+status:
+	docker-compose ps
+
+# Remove all containers, networks, and volumes
+clean:
+	docker-compose down -v --remove-orphans
+
+# Set up test environment
+test-setup:
+	python3 -m venv venv || true
+	. venv/bin/activate && \
+	pip install --upgrade pip && \
+	pip install -r requirements-ansible.txt
+
+# Run tests
+test:
+	./run_tests.sh
+
+# Create .env.example if it doesn't exist
+.env.example:
+	@echo "DOMAIN=example.com" > .env.example
+	@echo "CF_API_TOKEN=your_cloudflare_api_token" >> .env.example
+	@echo "API_SUBDOMAIN=api" >> .env.example
+	@echo "WEB_SUBDOMAIN=app" >> .env.example
+	@echo "AUTH_SUBDOMAIN=auth" >> .env.example

caddy2/README.md

@@ -0,0 +1,143 @@
+To integrate Caddy into your Docker Compose setup for dynamic subdomain routing without external configuration files, use the `caddy-docker-proxy` solution. This approach leverages Docker labels for service discovery and environment variables for global settings, eliminating the need for a standalone Caddyfile.
+
+### ✅ Key Features
+- **Zero external config files** (no Caddyfile)
+- **Automatic HTTPS via Let's Encrypt + Cloudflare DNS**
+- **Dynamic service discovery** (add/remove services via Docker labels)
+- **ARM64 compatible**
+- **Single Docker Compose file**
+
+---
+
+### 🧩 Docker Compose Configuration
+
+```yaml
+version: '3.8'
+
+networks:
+  app-network:
+    driver: bridge
+
+services:
+  # Caddy Reverse Proxy with Docker Integration
+  caddy:
+    image: lucaslorentz/caddy-docker-proxy:latest
+    environment:
+      - CADDY_DOCKER_PROXY_ACME_DNS=cloudflare ${CF_API_TOKEN}
+      - [email protected]
+      - DOMAIN=example.com
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - app-network
+
+  # Example Microservice 1: API Service
+  api:
+    image: your-api-image:latest
+    labels:
+      - caddy=${API_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 8080}}
+    networks:
+      - app-network
+
+  # Example Microservice 2: Web App
+  web:
+    image: your-web-app:latest
+    labels:
+      - caddy=${WEB_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 3000}}
+    networks:
+      - app-network
+
+  # Example Microservice 3: Auth Service
+  auth:
+    image: your-auth-service:latest
+    labels:
+      - caddy=${AUTH_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 4000}}
+    networks:
+      - app-network
+```
+
+---
+
+### 📁 Environment Variables (`.env` file)
+
+```env
+DOMAIN=example.com
+CF_API_TOKEN=your_cloudflare_api_token
+API_SUBDOMAIN=api
+WEB_SUBDOMAIN=app
+AUTH_SUBDOMAIN=auth
+```
+
+---
+
+### 🔐 How It Works
+
+- **Dynamic Configuration**: The `caddy-docker-proxy` image automatically detects containers with `caddy.*` labels.
+- **HTTPS Automation**: Uses Cloudflare DNS for Let's Encrypt challenges via the `CADDY_DOCKER_PROXY_ACME_DNS` environment variable.
+- **Service Discovery**: The `{{upstreams PORT}}` template routes traffic to the correct container based on exposed ports.
+
+---
+
+### 🧪 Adding New Services
+
+To deploy a new service (e.g., `dashboard`), simply add it to your Docker Compose with the appropriate labels:
+
+```yaml
+dashboard:
+  image: your-dashboard:latest
+  labels:
+    - caddy=dashboard.example.com
+    - caddy.reverse_proxy={{upstreams 8000}}
+  networks:
+    - app-network
+```
+
+No need to restart Caddy or edit any configuration files — it auto-reloads!
+
+---
+
+### 🛡️ Security Notes
+
+- **Docker Socket**: Mounting `/var/run/docker.sock` gives Caddy access to Docker events. Ensure your system is secured (e.g., restricted access to Docker).
+- **Cloudflare Token**: Use a **scoped token** with only DNS write permissions for `example.com`.
+
+---
+
+### 📦 Resource Usage
+
+- **Memory**: ~40–80MB baseline
+- **Performance**: Sufficient for most microservices (3,750+ req/s)
+- **ARM Compatibility**: Works on Raspberry Pi 3+ and newer ARM64 devices
+
+---
+
+### ✅ Why This Works
+
+- **No Caddyfile needed** — all config via environment variables and Docker labels.
+- **Fully declarative** — everything defined in `docker-compose.yml`.
+- **Scalable** — add new services with minimal effort.
+- **Secure** — automatic HTTPS via DNS-01 with Cloudflare.
+
+---
+
+### 🧼 Cleanup (Optional)
+
+If you want to reset SSL certificates or force Caddy to re-fetch config:
+
+```bash
+docker-compose down -v
+```
+
+This removes persistent data (e.g., certificates), and a fresh setup will occur on next `up`.
+
+---
+
+### 📌 Summary
+
+This solution offers the **best balance of simplicity, flexibility, and security** for microservices on resource-constrained systems. It avoids vendor lock-in (unlike Cloudflare Tunnels), keeps memory usage low (unlike Traefik), and provides **zero-config deployment** with full HTTPS automation.

caddy2/ansible_tests.yml

@@ -0,0 +1,50 @@
+---
+- name: Test Caddy reverse proxy services
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars_files:
+    - .env
+
+  tasks:
+    - name: Include test cases for each subdomain
+      include_tasks: test_services.yml
+      loop:
+        - { name: "api", port: 80, path: "/" }
+        - { name: "web", port: 80, path: "/" }
+        - { name: "auth", port: 80, path: "/" }
+      loop_control:
+        loop_var: service
+
+    - name: Test HTTPS redirect
+      uri:
+        url: "http://{{ DOMAIN }}"
+        method: GET
+        follow_redirects: none
+        status_code: 301, 302
+        timeout: 10
+      register: http_redirect
+      failed_when: false
+
+    - name: Verify HTTPS redirect
+      assert:
+        that:
+          - "'https://' in http_redirect.redirected_url"
+          - "http_redirect.redirected_url == 'https://' ~ DOMAIN ~ '/'"
+        fail_msg: "HTTPS redirect failed"
+
+    - name: Test HTTP/2 support
+      uri:
+        url: "https://{{ DOMAIN }}"
+        method: GET
+        validate_certs: no
+        timeout: 10
+      register: http2_test
+      failed_when: false
+
+    - name: Verify HTTP/2 support
+      assert:
+        that:
+          - "http2_test.status == 200"
+          - "'HTTP/2' in http2_test.msg"
+        fail_msg: "HTTP/2 not supported"

caddy2/docker-compose.yml

@@ -0,0 +1,55 @@
+version: '3.8'
+
+networks:
+  app-network:
+    driver: bridge
+
+services:
+  # Caddy Reverse Proxy with Docker Integration
+  caddy:
+    image: lucaslorentz/caddy-docker-proxy:latest
+    environment:
+      - CADDY_DOCKER_PROXY_ACME_DNS=cloudflare ${CF_API_TOKEN}
+      - CADDY_DOCKER_PROXY_ACME_EMAIL=admin@${DOMAIN}
+      - DOMAIN=${DOMAIN}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - caddy_data:/data
+      - caddy_config:/config
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: unless-stopped
+    networks:
+      - app-network
+
+  # Example API Service
+  api:
+    image: nginx:alpine
+    labels:
+      - caddy=${API_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 80}}
+    networks:
+      - app-network
+
+  # Example Web App
+  web:
+    image: nginx:alpine
+    labels:
+      - caddy=${WEB_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 80}}
+    networks:
+      - app-network
+
+  # Example Auth Service
+  auth:
+    image: nginx:alpine
+    labels:
+      - caddy=${AUTH_SUBDOMAIN}.${DOMAIN}
+      - caddy.reverse_proxy={{upstreams 80}}
+    networks:
+      - app-network
+
+volumes:
+  caddy_data:
+  caddy_config:

caddy2/requirements-ansible.txt

@@ -0,0 +1,2 @@
+ansible>=2.9
+requests>=2.25.0

caddy2/run_tests.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+# Create virtual environment if it doesn't exist
+if [ ! -d "venv" ]; then
+    echo "Creating virtual environment..."
+    python3 -m venv venv
+    source venv/bin/activate
+    pip install --upgrade pip
+    pip install -r requirements-ansible.txt
+else
+    source venv/bin/activate
+fi
+
+# Run Ansible tests
+echo "Running Ansible tests..."
+ansible-playbook ansible_tests.yml -i "localhost," -c local -v
+
+# Check the result and exit with appropriate status
+if [ $? -eq 0 ]; then
+    echo "✅ All tests passed successfully!"
+    exit 0
+else
+    echo "❌ Some tests failed!"
+    exit 1
+fi