This document walks through setting up HTTPS for pgrokd using Caddy as the reverse proxy on your server, and Cloudflare as the DNS provider.
There are two approaches to set up HTTPS with different level of security with their corresponding trade-offs. Both approaches offer HTTPS to the end user's browser, and the main difference is whether the traffic between Cloudflare and your server is encrypted or not.
Note
All values used in this document are just examples, substitute based on your setup.
First of all, there are some common steps:
- Add the following DNS records for your domain name:
A
record forexample.com
to111.33.5.14
(with DNS only)[!IMPORTANT] Do not proxy the main domain (example.com) becasue Cloudflare proxyed traffic does not work with SSH connections.
A
record for*.example.com
to111.33.5.14
(with Proxied)
- Set up the server with the single binary, Docker or Docker Compose.
- Alter your network security policy (if applicable) to allow inbound requests to port
2222
from0.0.0.0/0
(anywhere).
This approach does not encrypt the traffic between Cloudflare and your server. It is easier to set up but less secure.
Download and install Caddy 2 on your server, and use the following Caddyfile config:
example.com {
reverse_proxy * localhost:3320
}
http://*.example.com {
reverse_proxy * localhost:3000
}
That's it!
This approach encrypts the traffic between Cloudflare and your server, making it more secure.
To generate a wildcard certificate you will need to use the DNS-01 challenge type which requires using a supported DNS provider (e.g. Cloudflare).
Here comes the extra cumbersome, the default build of Caddy does not contain any DNS modules (including when you install from the system package managers). These need to be added to your download from caddyserver.com or built manually using the xcaddy
tool, here is the link to include the Cloudflare DNS module on the download page.
Get your Cloudflare API key from your Cloudflare account page and set it as the environment variable CLOUDFLARE_API_TOKEN
.
Then, use the following Caddyfile config:
example.com {
reverse_proxy * localhost:3320
}
*.example.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy * localhost:3000
}
Credit: Wildcard Certificates in Caddy Server
- Configuring Caddy with Wildcard Subdomains through DigitalOcean DNS