-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Caddy Webserver Config
Lauri Ojansivu edited this page Feb 8, 2024
·
15 revisions
Caddy 2 .well-known/assetlinks.json config for WeKan Android Play Store app
WeKan Snap Candidate for any Snap distros: https://github.com/wekan/wekan/wiki/OpenSuse , disable internal old Caddy 1, when using Caddy 2:
sudo snap set wekan caddy-enabled='false'
sudo snap set wekan port='3001'
sudo snap set wekan root-url='https://boards.example.com'
More info about root-url at https://github.com/wekan/wekan/wiki/Settings
Browser needs to have only one language https://github.com/wekan/wekan/issues/4803#issuecomment-1374354425
Install Caddy 2 stable release: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
Like this:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt -y install caddy
Edit Caddyfile:
sudo nano /etc/caddy/Caddyfile
Example:
# Redirecting http to https
(redirect) {
@http {
protocol http
}
redir @http https://{host}{uri}
}
# WeKan board, proxy to localhost port, or IP-ADDRESS:PORT
boards.example.com {
tls {
load /var/snap/wekan/common/certs
alpn http/1.1
}
reverse_proxy 127.0.0.1:3025
}
# Static website
example.com {
tls {
load /var/snap/wekan/common/certs
alpn http/1.1
}
root * /var/websites/wekan.team
file_server
}
# Files download directory browse website
files.example.com {
root * /var/websites/ftp.secretchronicles.org/public
file_server browse
}
Caddy commands list:
caddy help
Caddy OAuth2 with Let's Encrypt SSL example
Also works with other SSL certs.
Go to CloudFlare login/example.com/Crypto/Origin Certificates.
Create and download certs for *.example.com, example.com
sudo su
cd /var/snap/wekan/common
mkdir certs
cd certs
Create file: example.com.pem with content of CloudFlare Origin Certificates.
nano example.com.pem
There add certs:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Then Save: Ctrl-o Enter
Then Exit: Ctrl-x.
chmod 644 example.com.pem
sudo nano /var/snap/wekan/common/Caddyfile
There change config:
http://example.com https://example.com {
tls {
load /var/snap/wekan/common/certs
alpn http/1.1
}
proxy / localhost:3001 {
websocket
transparent
}
}
Save: Ctrl-o Enter
Exit: Ctrl-x
Enable Caddy:
sudo snap set wekan caddy-enabled='true'
sudo snap set wekan port='3001'
sudo snap set wekan root-url='https://example.com'
Click CloudFlare login/example.com/DNS.
Check that status of your domains have orange cloud color, so traffic goes through CloudFlare SSL.
Click CloudFlare login/example.com/Page Rules. Set for example:
1) http://example.com/*
Always Use HTTPS
2) http://*.example.com/*
Always use HTTPS
Optionally, if you want caching:
3) *example.com/*
Cache Level: Cache Everything
List of Let's Encrypt implementations
Create directory for caddy, website and logs:
mkdir -p ~/caddy/example.com ~/caddy/logsAdd this config to ~/caddy/Caddyfile
There's also some extra examples.
example.com {
root /home/username/caddy/example.com
# Static website, markdown or html
ext .md .html
proxy /wekan 127.0.0.1:3000 {
websocket
}
log /home/username/caddy/logs/wekan-access.log {
rotate {
size 100 # Rotate after 100 MB
age 7 # Keep log files for 7 days
keep 52 # Keep at most 52 log files
}
}
errors {
log /home/username/caddy/logs/wekan-error.log {
size 100 # Rotate after 100 MB
age 7 # Keep log files for 7 days
keep 52 # Keep at most 52 log files
}
}
}
example.com/files {
root /home/username/files
# View files in directory, has sorting in browser
browse
}Install Caddy. Change username to what user you run caddy, like in /home/username , and Let's Encrypt email to your email adderess:
# Install caddy with some plugins
curl https://getcaddy.com | bash -s personal http.ipfilter,http.mailout,http.ratelimit,http.realipsudo setcap cap_net_bind_service=+ep /usr/local/bin/caddy
And this service file for Caddy to /etc/systemd/system/caddy@.service
; see `man systemd.unit` for configuration details
; the man section also explains *specifiers* `%x`
[Unit]
Description=Caddy HTTP/2 web server %I
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target
Wants=systemd-networkd-wait-online.service
[Service]
; run user and group for caddy
User=username
Group=username
ExecStart=/home/username/caddy/caddy -conf=/home/username/caddy/Caddyfile -agree -email="admin@example.com"
Restart=on-failure
StartLimitInterval=86400
StartLimitBurst=5
RestartSec=10
ExecReload=/bin/kill -USR1 $MAINPID
; limit the number of file descriptors, see `man systemd.exec` for more limit settings
LimitNOFILE=1048576
LimitNPROC=64
; create a private temp folder that is not shared with other processes
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.targetStart caddy and enable service:
sudo systemctl daemon-reload
sudo systemctl start caddy@username
sudo systemctl enable caddy@username
Wekan - OpenSource Kanban
- Deep Dive Into WeKan
- Meteor WeKan Roadmap - board at Wekan demo
- Multiverse WeKan Roadmap
- Docs/Manual
- Change Language
- Forgot Password
- About
- Test Edge
- WeKan Design Principles
- FAQ
- IRC FAQ - answers to questions asked at IRC
- Team
- Press
- Blog
- Wekan vs Trello vs Restyaboard
- Results of Survey 2020-01
- Allow private boards only: Disable Public Boards
- Security Disclosure and details of Security in Wekan
- Security issues
- Password Hashing
- Add more RAM to Node.js to prevent crash
- Clustering AWS etc
- Scaling
- Kubernetes
- Redis Oplog
- Meteor Scaling at Meteor Cloud
- Scaling at Meteor forums
- From Previous Export, paste big WeKan JSON
- Progress: Import/Export/Sync
- From CSV/TSV
- From Trello
- From Jira
- From Asana
- From Zenkit
- From old Wekan manually
- Converting Meteor Stylus to CSS
- Repair MongoDB
- Using Meteor MongoDB to repair files
- If board does not open and keeps loading
- Repair Docker
- Wekan Markdown
- Emoji
- Mermaid Diagram DOES NOT WORK ANYMORE
- Numbered text
- Automatic login
- Disable Password Login
- Forgot Password
- Admin: Impersonate user
- Adding Users
- Active users Presence
- Accounts Lockout: Brute force login protection
- LDAP
- LDAP AD Simple Auth
- Keycloak
- Google login
- Azure
- OAuth2, Auth0, GitLab, RocketChat
- Oracle OIM on premise using OAuth2
- ADFS 4.0 using OAuth2 and OpenID
- Azure AD B2C using OAuth2
- Nextcloud
- CAS Please test
- SAML Please test
- Zitadel
- Drag Drop on Mobile and Desktop
- Rclone: Store attachments to cloud storage like S3, MinIO, etc
- Python based features
- Burndown and Velocity Chart
- Wait Spinners
- Translations
- Default Language for All Users
- Roadmap
- Features
- Planning Poker
- Scaling
- Custom Logo
- Subtasks <== Has fix
- Templates
- Cover
- Archive and Delete
- Custom Fields
- Fix Export board menu not visible on some boards
- RAM usage
- Demo
- Swimlane Documentation
- Customize Translations
- Download Wekan for various Platforms: Supported by xet7, Operating Systems, NAS, Cloud
- Helm Chart for Kubernetes
- Caddy
- Nginx
- Apache
- OpenLiteSpeed
- Local self signed TLS
- Let's Encrypt and Google Auth
- TLS with Node.js
- Traefik and self-signed SSL certs
- Example: New card with Python3 and REST API
- Python client to REST API
- Go client to REST API
- Java
- Wekan Sandstorm cards to CSV using Python
- Excel and VBA
- Global Webhook
- Limiting Webhook data
- Receiving Webhooks
- Outgoing Webhook to Discord/Slack/RocketChat/Riot
- Outgoing Webhook to NodeRed
- Outgoing Webhook to PowerShell
- Security: Webhook and CA
- Outgoing Webhooks Data
- Outgoing Webhooks and Let's Encrypt
- Outgoing Webhooks Original Pull Request, multiple Webhooks, more parameters and response order