Usage: server setup

Setup forwardproxy caddy service

The following describes the naïve fork of Caddy forwardproxy setup.

Download here or build from source:

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive

Example Caddyfile (replace user and pass accordingly):

{
  order forward_proxy before file_server
}
:443, example.com {
  tls me@example.com
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
    acl {
      allow 172.31.255.2
    }
  }
  file_server {
    root /var/www/html
  }
}

:443 must appear first for this Caddyfile to work. See Caddyfile docs for customizing TLS certificates. For more advanced usage consider using JSON for Caddy 2's config.

Run with the Caddyfile:

sudo setcap cap_net_bind_service=+ep ./caddy
./caddy start

See also Systemd unit example and HAProxy setup.

Window sizes for large bandwidth

The window sizes should be tuned to the actual BDP = Link speed * RTT. Example: Assuming 1Gbps link with 256ms RTT, it's a 32MiB maximum window size requiring 64MiB maximum buffer size. Add to /etc/sysctl.d/99-network.conf (create if not available) or /etc/sysctl.conf (if present):

net.ipv4.tcp_rmem = 4096 131072 67108864
net.ipv4.tcp_wmem = 4096 131072 67108864

Reapplying sysctl rules after changes:

sudo systemctl restart systemd-sysctl.service

or

sudo sysctl -p

Use BBR congestion control

Add to /etc/sysctl.d/99-network.conf (create if not available) or /etc/sysctl.conf (if present):

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Reapplying sysctl rules after changes:

sudo systemctl restart systemd-sysctl.service

or

sudo sysctl -p

ChatGPT capable caddy server

Add to Caddyfile:

  route {
    forward_proxy {
...
      acl {
        allow 172.31.255.2
      }
...
    }
...
  }

Restart or reload caddy service after configure changes:

caddy reload
caddy restart

See also at 使用naive节点无法访问ChatGPT的172.31.255.2代理

Post-quantum key agreements capable caddy server (WIP)

Build latest caddy >= 2.9.0 with Golang >= 1.23.0

$ go version # make sure you got Go 1.23 or later!
go version go1.23.0 darwin/arm64
$ go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
[ ... ]
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
$ CADDY_VERSION=v2.9.0-beta.2 ~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
[ ... ]
$ ./caddy version # PQ caddy ready to Go!

See also https://gist.github.com/bwesterb/2f7bfa7ae689de0d242b56ea3ecac424

How to test server PQ capability (Kyber):

ninja bssl
./third_party/boringssl/src/bssl client -connect <domain_name>:443 -curves X25519Kyber768Draft00:X25519 -server-name <domain_name>

test server PQ capability (MLKEM and Kyber):

ninja bssl
./third_party/boringssl/src/bssl client -connect <domain_name>:443 -curves X25519MLKEM768:X25519Kyber768Draft00:X25519 -server-name <domain_name>

See also https://blog.cloudflare.com/post-quantum-to-origins/#quick-start

Provide feedback

Saved searches