ab80ff4fd2
This commits dds 3 separate, but very related features: 1. Automated server identity management How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it). Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs. This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below). 2. Remote administration over secure connection This feature adds generic remote admin functionality that is safe to expose on a public interface. - The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint. - It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS. - TLS cannot be disabled on this endpoint. - TLS mutual auth is required, and cannot be disabled. - The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded. - The TLS server takes care of verifying the client. - The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\ - Sensible defaults are still WIP. - Config fields subject to change/renaming. 3. Dyanmic config loading at startup Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR. Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense). This PR comes with a standard config loader module called `caddy.config_loaders.http`. Caddyfile config for all of this can probably be added later. COMMITS: * admin: Secure socket for remote management Functional, but still WIP. Optional secure socket for the admin endpoint is designed for remote management, i.e. to be exposed on a public port. It enforces TLS mutual authentication which cannot be disabled. The default port for this is :2021. The server certificate cannot be specified manually, it MUST be obtained from a certificate issuer (i.e. ACME). More polish and sensible defaults are still in development. Also cleaned up and consolidated the code related to quitting the process. * Happy lint * Implement dynamic config loading; HTTP config loader module This allows Caddy to load a dynamic config when it starts. Dynamically-loaded configs are intentionally not persisted to storage. Includes an implementation of the standard config loader, HTTPLoader. Can be used to download configs over HTTP(S). * Refactor and cleanup; prevent recursive config pulls Identity management is now separated from remote administration. There is no need to enable remote administration if all you want is identity management, but you will need to configure identity management if you want remote administration. * Fix lint warnings * Rename identities->identifiers for consistency |
||
---|---|---|
.github | ||
caddyconfig | ||
caddytest | ||
cmd | ||
modules | ||
.gitignore | ||
.golangci.yml | ||
.goreleaser.yml | ||
admin_test.go | ||
admin.go | ||
AUTHORS | ||
caddy_test.go | ||
caddy.go | ||
context_test.go | ||
context.go | ||
go.mod | ||
go.sum | ||
LICENSE | ||
listeners_fuzz.go | ||
listeners_test.go | ||
listeners.go | ||
logging.go | ||
metrics.go | ||
modules_test.go | ||
modules.go | ||
README.md | ||
replacer_fuzz.go | ||
replacer_test.go | ||
replacer.go | ||
sigtrap_nonposix.go | ||
sigtrap_posix.go | ||
sigtrap.go | ||
storage.go | ||
usagepool.go |
a project
Every site on HTTPS
Caddy is an extensible server platform that uses TLS by default.
Releases · Documentation · Get Help
Menu
Features
- Easy configuration with the Caddyfile
- Powerful configuration with its native JSON config
- Dynamic configuration with the JSON API
- Config adapters if you don't like JSON
- Automatic HTTPS by default
- ZeroSSL and Let's Encrypt for public names
- Fully-managed local CA for internal names & IPs
- Can coordinate with other Caddy instances in a cluster
- Multi-issuer fallback
- Stays up when other servers go down due to TLS/OCSP/certificate-related issues
- Production-ready after serving trillions of requests and managing millions of TLS certificates
- Scales to tens of thousands of sites ... and probably more
- HTTP/1.1, HTTP/2, and experimental HTTP/3 support
- Highly extensible modular architecture lets Caddy do anything without bloat
- Runs anywhere with no external dependencies (not even libc)
- Written in Go, a language with higher memory safety guarantees than other servers
- Actually fun to use
- So, so much more to discover
Install
The simplest, cross-platform way is to download from GitHub Releases and place the executable file in your PATH.
For other install options, see https://caddyserver.com/docs/download.
Build from source
Requirements:
For development
Note: These steps will not embed proper version information. For that, please follow the instructions in the next section.
$ git clone "https://github.com/caddyserver/caddy.git"
$ cd caddy/cmd/caddy/
$ go build
When you run Caddy, it may try to bind to low ports unless otherwise specified in your config. If your OS requires elevated privileges for this, you will need to give your new binary permission to do so. On Linux, this can be done easily with: sudo setcap cap_net_bind_service=+ep ./caddy
If you prefer to use go run
which creates temporary binaries, you can still do this. Make an executable file called setcap.sh
(or whatever you want) with these contents:
#!/bin/sh
sudo setcap cap_net_bind_service=+ep "$1"
"$@"
then you can use go run
like so:
$ go run -exec ./setcap.sh main.go
If you don't want to type your password for setcap
, use sudo visudo
to edit your sudoers file and allow your user account to run that command without a password, for example:
username ALL=(ALL:ALL) NOPASSWD: /usr/sbin/setcap
replacing username
with your actual username. Please be careful and only do this if you know what you are doing! We are only qualified to document how to use Caddy, not Go tooling or your computer, and we are providing these instructions for convenience only; please learn how to use your own computer at your own risk and make any needful adjustments.
With version information and/or plugins
Using our builder tool, xcaddy
...
$ xcaddy build
...the following steps are automated:
- Create a new folder:
mkdir caddy
- Change into it:
cd caddy
- Copy Caddy's main.go into the empty folder. Add imports for any custom plugins you want to add.
- Initialize a Go module:
go mod init caddy
- (Optional) Pin Caddy version:
go get github.com/caddyserver/caddy/v2@version
replacingversion
with a git tag, commit, or branch name. - (Optional) Add plugins by adding their import:
_ "import/path/here"
- Compile:
go build
Quick start
The Caddy website has documentation that includes tutorials, quick-start guides, reference, and more.
We recommend that all users -- regardless of experience level -- do our Getting Started guide to become familiar with using Caddy.
If you've only got a minute, the website has several quick-start tutorials to choose from! However, after finishing a quick-start tutorial, please read more documentation to understand how the software works. 🙂
Overview
Caddy is most often used as an HTTPS server, but it is suitable for any long-running Go program. First and foremost, it is a platform to run Go applications. Caddy "apps" are just Go programs that are implemented as Caddy modules. Two apps -- tls
and http
-- ship standard with Caddy.
Caddy apps instantly benefit from automated documentation, graceful on-line config changes via API, and unification with other Caddy apps.
Although JSON is Caddy's native config language, Caddy can accept input from config adapters which can essentially convert any config format of your choice into JSON: Caddyfile, JSON 5, YAML, TOML, NGINX config, and more.
The primary way to configure Caddy is through its API, but if you prefer config files, the command-line interface supports those too.
Caddy exposes an unprecedented level of control compared to any web server in existence. In Caddy, you are usually setting the actual values of the initialized types in memory that power everything from your HTTP handlers and TLS handshakes to your storage medium. Caddy is also ridiculously extensible, with a powerful plugin system that makes vast improvements over other web servers.
To wield the power of this design, you need to know how the config document is structured. Please see our documentation site for details about Caddy's config structure.
Nearly all of Caddy's configuration is contained in a single config document, rather than being scattered across CLI flags and env variables and a configuration file as with other web servers. This makes managing your server config more straightforward and reduces hidden variables/factors.
Full documentation
Our website has complete documentation:
The docs are also open source. You can contribute to them here: https://github.com/caddyserver/website
Getting help
-
We strongly recommend that all professionals or companies using Caddy get a support contract through Ardan Labs before help is needed.
-
A sponsorship goes a long way! If Caddy is benefitting your company, please consider a sponsorship! This not only helps fund full-time work to ensure the longevity of the project, it's also a great look for your company to your customers and potential customers!
-
Individuals can exchange help for free on our community forum at https://caddy.community. Remember that people give help out of their spare time and good will. The best way to get help is to give it first!
Please use our issue tracker only for bug reports and feature requests, i.e. actionable development items (support questions will usually be referred to the forums).
About
The name "Caddy" is trademarked. The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". Caddy is a registered trademark of Stack Holdings GmbH.
- Project on Twitter: @caddyserver
- Author on Twitter: @mholt6
Caddy is a project of ZeroSSL, a Stack Holdings company.
Debian package repository hosting is graciously provided by Cloudsmith. Cloudsmith is the only fully hosted, cloud-native, universal package management solution, that enables your organization to create, store and share packages in any format, to any place, with total confidence.