Step-by-Step Guide to Configuring Caddy Reverse Proxy for Secure Web Applications
Caddy is a modern web server that simplifies the process of deploying applications with automatic HTTPS via Let's Encrypt. Using Caddy with Let's Encrypt enhances web application security by providing:
- Automatic SSL Certificates: Caddy automatically obtains and renews SSL certificates, ensuring your site is always secure without manual intervention.
- Easy Configuration: With a simple configuration file, Caddy makes it easy to set up secure HTTPS for your domains.
- HTTP/2 Support: Caddy supports HTTP/2 by default, improving performance and security through multiplexing and reduced latency.
- Robust Security Features: Built-in support for security best practices, including strong cipher suites and secure headers, helps protect your application from various attacks.
By leveraging Caddy and Let's Encrypt, you can focus on developing your application while ensuring a secure web experience for your users.
In this article I will be explaining how to setup caddy as reverse proxy and request let's encrypt certificate for your web application running on internal network.
Prerequisites
For this tutorial you need:
1- A DuckDns account. You can create an account easily and for free.
2- A caddy web server built with DuckDns support. You can refer to my previous article for a detailed setup if needed.
3- Root access to a supported operating system. I will be using Ubuntu 22.04 TLS.
How to setup caddy reverse proxy
Create a simple web app ( for testing ):
The fastest and easiest way is to just create a php or python web server to serve a simple welcome page.
Create a directory then add an HTML index file:
mkdir webapp && echo "hello world" > webapp/index.html
I will be using python web server to host this page. As I am working on Ubuntu , I will install python using:
sudo apt install python3
Now, navigate to the created directory and start the python web server:
cd webapp && python3 -m http.server 5555
This will start a web server on 0.0.0.0:5555 .You can use any other port.
Finally, get your server IP using the ifconfig command and try to access the page. My server IP is 192.168.1.50
We successfully hosted a page but as you notice it's not secure. It's time to configure caddy as reverse proxy and request an SSL certificate using let's encrypt.
Create DuckDns account
Go to the DuckDns website to create an account. They have a lot of options for signing up
You need to get the token and add a new domain.
Type your domain and click on the add domain button. I used byteninja-test so the full domain will be byteninja-test.duckdns.org.
By default, the domain will be linked to your public IP. Just replace the public IP with your server IP and click on update ip.
Create Caddy configuration file
I will be adding the configuration file to /etc/caddy/ . Create the directory with:
sudo mkdir /etc/caddy
Now add the config file. You can use any text editor for this:
sudo nano /etc/caddy/Caddyfile
byteninja-test.duckdns.org:443 {
tls {
dns duckdns YOUR_TOKEN_FROM_DUCKDNS_ACCOUNT_HERE
}
reverse_proxy localhost:5555
}
This will configure Caddy as reverse proxy on port 5555 and forward everything to byteninja-test.duckdns.org on port 443 which is the default HTTPS port.
Install Caddy as a service
The final step is to make sure that caddy will start when the system boot. I will create a service file for Caddy in the /etc/systemd/system/ directory:
sudo nano /etc/systemd/system/caddy.service
and add the following:
[Unit]
Description=Caddy service
[Service]
User=root
ExecStart=caddy run --config /etc/caddy/Caddyfile
[Install]
WantedBy=multi-user.target
Finally, enable and start the caddy service:
sudo systemctl enable caddy.service && sudo systemctl start caddy.service
You can check the status by executing:
sudo systemctl status caddy.service
You should get something similar to:
● caddy.service - Caddy service
Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-06-17 08:24:37 CEST; 6 days ago
Main PID: 1704845 (caddy)
Tasks: 13 (limit: 8755)
Memory: 13.1M
CPU: 1min 58.417s
CGroup: /system.slice/caddy.service
Verify let's encrypt is working
At this point, you should be able to visit your domain and verify that you have an active certificate.
By simplifying certificate management, Caddy with Let's Encrypt ensures secure communication without the need for manual configuration, making it a convenient choice for enhanced website security.
FAQ: Setting Up a Reverse Proxy with Caddy
Q1: What is a reverse proxy?
A reverse proxy sits between client requests and your backend servers, forwarding requests and responses. It helps with load balancing, SSL termination, and improved security.
Q2: Can Caddy handle SSL automatically?
Yes! Caddy automatically provisions and renews SSL certificates using Let's Encrypt, making HTTPS setup seamless.
Q3: How do I enable HTTP/2?
Caddy enables HTTP/2 by default when using HTTPS, so no additional configuration is needed.
Q4: Can I use Caddy with other web servers?
Yes! Caddy can reverse proxy to any web server, such as Nginx, Apache, or Node.js applications.
Q5: How do I view Caddy logs?
Caddy provides access logs and error logs, which can be configured in the Caddyfile for monitoring and debugging.
If you have any more questions or need further assistance, feel free to ask!