caddy multiservice with caddy embedded on docker

Author: Tom Softreck

caddy-demo/1-caddyfile/README.md

@@ -66,4 +66,4 @@ This project demonstrates a simple static website served by Caddy using a Caddyf
 
 ## License
 
-MIT
+Apache 2

caddy-demo/2-docker-labels/README.md

@@ -90,4 +90,4 @@ If ports 80/443 are in use:
 
 ## License
 
-MIT
+Apache 2

caddy-demo/README.md

@@ -115,4 +115,4 @@ If you get port conflicts (80 or 443 already in use):
 
 ## License
 
-MIT
+Apache 2

caddy2/.env.example

@@ -1,16 +1,92 @@
-# Domain configuration
+# ============================================
+# Caddy Reverse Proxy Configuration
+# ============================================
+
+# --------------------------------
+# Domain & Network Configuration
+# --------------------------------
+# Base domain for all services
 DOMAIN=lvh.me
 
+# Ports to expose (set to empty to disable HTTP)
+HTTP_PORT=80
+HTTPS_PORT=443
+
+# Docker network configuration
+NETWORK_NAME=caddy_network
+NETWORK_DRIVER=bridge
+
+# --------------------------------
+# Service Configuration
+# --------------------------------
+# API Service
+API_SUBDOMAIN=api
+API_PORT=8080
+
+# Web Application
+WEB_SUBDOMAIN=app
+WEB_PORT=8081
+
+# Authentication Service
+AUTH_SUBDOMAIN=auth
+AUTH_PORT=8082
+
+# --------------------------------
+# SSL/TLS Configuration
+# --------------------------------
+# Set to 'true' to disable HTTPS (not recommended)
+DISABLE_HTTPS=false
+
+# Set to 'true' to use Let's Encrypt staging (avoids rate limits)
+STAGING=false
+
+# Email for Let's Encrypt notifications
+EMAIL=[email protected]
 
 # Cloudflare API Token (required for DNS-01 challenge)
 # Create one at: https://dash.cloudflare.com/profile/api-tokens
 # Required permissions: Zone.Zone:Read, Zone.DNS:Edit
 CF_API_TOKEN=your_cloudflare_api_token_here
 
-# Subdomains for services
-API_SUBDOMAIN=api
-WEB_SUBDOMAIN=app
-AUTH_SUBDOMAIN=auth
+# --------------------------------
+# Container Configuration
+# --------------------------------
+# Caddy version
+CADDY_IMAGE=lucaslorentz/caddy-docker-proxy:latest
+
+# Resource limits
+CADDY_CPUS=1
+CADDY_MEMORY=512M
+
+# --------------------------------
+# Logging & Monitoring
+# --------------------------------
+# Log level (debug, info, warn, error, panic, fatal)
+LOG_LEVEL=info
+
+# Enable/disable access logs
+ENABLE_ACCESS_LOGS=true
+
+# --------------------------------
+# Security
+# --------------------------------
+# Basic Auth (username:hashed_password)
+# Generate with: caddy hash-password --plaintext 'yourpassword'
+# BASIC_AUTH_USER=admin
+# BASIC_AUTH_HASH=your_hashed_password_here
+
+# IP Whitelist (comma-separated)
+# ALLOWED_IPS=192.168.1.0/24,10.0.0.1
+
+# --------------------------------
+# Development Settings
+# --------------------------------
+# Set to 'true' to enable development mode (disables some security features)
+DEV_MODE=false
+
+# Additional domains for development
+EXTRA_DOMAINS=test.local,*.test.local
 
-# Email for Let's Encrypt notifications (optional but recommended)
-# [email protected]
+# ============================================
+# End of Configuration
+# ============================================

caddy2/Caddyfile

@@ -1,34 +1,143 @@
+# Global settings
 {
-    debug
-}
+    # Log level from environment variable
+    log {
+        level {env.LOG_LEVEL}
+        output file /var/log/caddy/access.log {
+            roll_size 10MiB
+            roll_keep 5
+            roll_keep_for 24h
+        }
+    }
 
-:80 {
-    redir https://{host}{uri} permanent
+    # Enable the admin API endpoint
+    admin off
+    
+    # Enable automatic HTTPS
+    auto_https disable_redirects
+    email {env.EMAIL}
+    
+    # Enable the HTTP/3
+    servers {
+        protocol {
+            experimental_http3
+        }
+    }
 }
 
-:443 {
-    tls /etc/caddy/certs/localhost.crt /etc/caddy/certs/localhost.key
+# Redirect HTTP to HTTPS if not disabled
+{env.HTTP_PORT}:{
+    @http {
+        protocol http
+    }
+    redir @http https://{host}{uri} permanent
+}
 
+# Main HTTPS server
+{env.HTTPS_PORT}:{
+    # TLS configuration
+    tls {
+        issuer acme {
+            email {env.EMAIL}
+            dns cloudflare {env.CF_API_TOKEN}
+            resolvers 1.1.1.1
+        }
+        
+        # Use staging for testing to avoid rate limits
+        {$STAGING}
+        
+        # Use local certificates in development
+        {$DEV_MODE} {
+            issuer self_signed
+        }
+    }
+    
+    # Security headers
+    header {
+        # Enable HSTS (1 year)
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        
+        # Prevent clickjacking
+        X-Frame-Options "DENY"
+        
+        # Enable XSS protection
+        X-XSS-Protection "1; mode=block"
+        
+        # Prevent MIME type sniffing
+        X-Content-Type-Options "nosniff"
+        
+        # Referrer policy
+        Referrer-Policy "strict-origin-when-cross-origin"
+        
+        # Content Security Policy
+        # Modify this according to your application's needs
+        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'"
+        
+        # Remove server header
+        -Server
+    }
+    
+    # Logging
+    log {
+        output file /var/log/caddy/access.log {
+            roll_size 10MiB
+            roll_keep 5
+            roll_keep_for 24h
+        }
+    }
+    
     # API service
-    @api host api.lvh.me
+    @api {
+        host api.{env.DOMAIN}
+    }
     handle @api {
-        reverse_proxy api:80
+        reverse_proxy api:${API_PORT}
+        
+        # Rate limiting
+        @login {
+            path /login
+            method POST
+        }
+        
+        route @login {
+            rate_limit 10/1m 50
+            reverse_proxy api:${API_PORT}
+        }
+    }
+    
+    # Web application
+    @web {
+        host app.{env.DOMAIN}
     }
-
-    # Web service
-    @web host app.lvh.me
     handle @web {
-        reverse_proxy web:80
+        root * /srv
+        file_server browse
+        try_files {path} /index.html
+    }
+    
+    # Authentication service
+    @auth {
+        host auth.{env.DOMAIN}
     }
-
-    # Auth service
-    @auth host auth.lvh.me
     handle @auth {
-        reverse_proxy auth:80
+        reverse_proxy auth:${AUTH_PORT}
+    }
+    
+    # Default response for undefined hosts
+    @notfound {
+        not host {env.DOMAIN} {env.API_SUBDOMAIN}.{env.DOMAIN} {env.WEB_SUBDOMAIN}.{env.DOMAIN} {env.AUTH_SUBDOMAIN}.{env.DOMAIN}
     }
+    respond @notfound "Service not found" 404
+    
+    # Health check endpoint
+    handle /healthz {
+        respond "OK" 200
+    }
+}
 
-    # Domyślna odpowiedź
-    handle {
-        respond "Nie znaleziono serwisu dla {host}" 404
+# Debug endpoint (only in development)
+{$DEV_MODE} {
+    handle /debug/* {
+        respond "Debug information" 200
     }
 }