Table of Contents
This docker image is based on work from @lucaslorentz which I included the plugin Cloudflare.
This is only difference between this one and his image.
📔 If you need more details about how to use this image I will advise you to go to his GitHub and review the documentation.
It is useful if you are planning to use the reverse proxy from ™️ Caddy together with Let's Encrypt and Cloudflare DNS as a challenge.
The main purpose of creating this image is to have DNS challenge for wildcard domains.
I am using GitHub Actions where it will update weekly docker image and both plugins.
🔰 It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.
You will need to have:
- 🐳 Docker
- 🐋 docker-compose
- Domain name -> you can get from Name Cheap
- Cloudflare DNS Zone
You will tell ™️ Caddy where it has to route traffic in docker network, as ™️ Caddy is ingress on this case.
⬇️ A simple docker-compose.yml:
version: "3.3"
services:
caddy:
container_name: caddy
image: homeall/caddy-reverse-proxy-cloudflare:latest
restart: unless-stopped
environment:
TZ: 'Europe/London'
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" #### needs socket to read events
- "./caddy-data:/data" #### needs volume to back up certificates
ports:
- "80:80"
- "443:443"
labels: # Global options
caddy.email: email@example.com #### needs for acme CERT registration account
whoami0:
container_name: whoiam
image: jwilder/whoami:latest
hostname: TheDocker ############################----->>Expected result using curl
restart: unless-stopped
labels:
caddy: your.example.com #### needs for caddy to redirect traffic
# caddy.servers.protocols: "experimental_http3" #### For HTTP/3
# caddy.tls.ca: "https://acme.zerossl.com/v2/DV90" ### Only if you will prefer ZeroSSL. Default it is Let's Encypt.
caddy.reverse_proxy: "{{upstreams 8000}}" #### needs to tell caddy which port number should send traffic
caddy.tls.protocols: "tls1.3" #### This is optional. Default it is tls1.2
caddy.tls.ca: "https://acme-staging-v02.api.letsencrypt.org/directory" # Needs only for testing purpose. Remove this line after you finished your tests.
caddy.tls.dns: "cloudflare $API-TOKEN" #### You will have to replace here $API-TOKEN with your real scoped API token from Cloudflare.
Please get your scoped API-Token from here.
⬆️ Go on TOP ☝️
⬇️ Your can run the following command to see that is working:
$ curl --insecure -vvI https://test.ionut.vip 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: CN=test.ionut.vip ################################ CA from Let's Enctrypt Staging
* start date: Jan 5 15:15:00 2021 GMT
* expire date: Apr 5 15:15:00 2021 GMT
* issuer: CN=Fake LE Intermediate X1 ######################## This is telling you that acme is working as expected!
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc02180ec00)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
$ curl -k https://test.ionut.vip
I'm TheDocker################################### Expected result from hostname above
healthy word. This is telling you that docker is running healtcheck itself in order to make sure it is working properly.
⬇️ Please test yourself using the following command:
❯ docker inspect --format "{{json .State.Health }}" caddy | jq
{
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2021-01-04T11:10:49.2975799Z",
"End": "2021-01-04T11:10:49.3836437Z",
"ExitCode": 0,
"Output": ""
}
]
}
🗞️ Distributed under the MIT license. See LICENSE for more information.
🔴 Please free to open a ticket on Github.
- 🎉 @lucaslorentz 🏆
- 🎉 ™️ @Caddy 🥇 and its huge 🎖️ community ❗
- 🎉 dns.providers.cloudflare 🏅
⬆️ Go on TOP ☝️