Secure Your Web Apps with Caddy Reverse Proxy and Let's Encrypt Setup

Secure Your Web Apps with Caddy Reverse Proxy and Let's Encrypt Setup

Step-by-Step Guide to Configuring Caddy Reverse Proxy for Secure Web Applications

Caddy is a modern web server that simplifies the process of deploying applications with automatic HTTPS via Let's Encrypt. Using Caddy with Let's Encrypt enhances web application security by providing:

  1. Automatic SSL Certificates: Caddy automatically obtains and renews SSL certificates, ensuring your site is always secure without manual intervention.
  2. Easy Configuration: With a simple configuration file, Caddy makes it easy to set up secure HTTPS for your domains.
  3. HTTP/2 Support: Caddy supports HTTP/2 by default, improving performance and security through multiplexing and reduced latency.
  4. Robust Security Features: Built-in support for security best practices, including strong cipher suites and secure headers, helps protect your application from various attacks.

By leveraging Caddy and Let's Encrypt, you can focus on developing your application while ensuring a secure web experience for your users.

In this article I will be explaining how to setup caddy as reverse proxy and request let's encrypt certificate for your web application running on internal network.

Automatic HTTPS - Caddy Documentation
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go

Prerequisites

For this tutorial you need:

1- A DuckDns account. You can create an account easily and for free.

2- A caddy web server built with DuckDns support. You can refer to my previous article for a detailed setup if needed.

How to build caddy DuckDns on ubuntu 22.04 TLS
Caddy is a powerful and user-friendly web server that is designed to be simple, efficient and secure. It aims to make the process of setting up and managing websites as easy as possible, even for users with minimal technical knowledge.

3- Root access to a supported operating system. I will be using Ubuntu 22.04 TLS.

How to setup caddy reverse proxy

Create a simple web app ( for testing ):

💡
You can skip this step if you already have a running web application.

The fastest and easiest way is to just create a php or python web server to serve a simple welcome page.

Create a directory then add an HTML index file:

mkdir webapp && echo "hello world" > webapp/index.html 

I will be using python web server to host this page. As I am working on Ubuntu , I will install python using:

sudo apt install python3

Now, navigate to the created directory and start the python web server:

cd webapp && python3 -m http.server 5555

This will start a web server on 0.0.0.0:5555 .You can use any other port.

Finally, get your server IP using the ifconfig command and try to access the page. My server IP is 192.168.1.50

We successfully hosted a page but as you notice it's not secure. It's time to configure caddy as reverse proxy and request an SSL certificate using let's encrypt.

Create DuckDns account

Go to the DuckDns website to create an account. They have a lot of options for signing up

Duck DNS
Duck DNS free dynamic DNS hosted on Amazon VPC

You need to get the token and add a new domain.

Type your domain and click on the add domain button. I used byteninja-test so the full domain will be byteninja-test.duckdns.org.

By default, the domain will be linked to your public IP. Just replace the public IP with your server IP and click on update ip.

Create Caddy configuration file

I will be adding the configuration file to /etc/caddy/ . Create the directory with:

sudo mkdir /etc/caddy

Now add the config file. You can use any text editor for this:

sudo nano /etc/caddy/Caddyfile
byteninja-test.duckdns.org:443 {
    tls {
        dns duckdns YOUR_TOKEN_FROM_DUCKDNS_ACCOUNT_HERE
    }
    reverse_proxy localhost:5555
}

This will configure Caddy as reverse proxy on port 5555 and forward everything to byteninja-test.duckdns.org on port 443 which is the default HTTPS port.

Install Caddy as a service

The final step is to make sure that caddy will start when the system boot. I will create a service file for Caddy in the /etc/systemd/system/ directory:

sudo nano /etc/systemd/system/caddy.service

and add the following:

[Unit]
Description=Caddy service

[Service]
User=root
ExecStart=caddy run --config /etc/caddy/Caddyfile

[Install]
WantedBy=multi-user.target

Finally, enable and start the caddy service:

sudo systemctl enable caddy.service && sudo systemctl start caddy.service

You can check the status by executing:

sudo systemctl status caddy.service

You should get something similar to:

● caddy.service - Caddy service
     Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-06-17 08:24:37 CEST; 6 days ago
   Main PID: 1704845 (caddy)
      Tasks: 13 (limit: 8755)
     Memory: 13.1M
        CPU: 1min 58.417s
     CGroup: /system.slice/caddy.service

Verify let's encrypt is working

At this point, you should be able to visit your domain and verify that you have an active certificate.

By simplifying certificate management, Caddy with Let's Encrypt ensures secure communication without the need for manual configuration, making it a convenient choice for enhanced website security.

FAQ: Setting Up a Reverse Proxy with Caddy

Q1: What is a reverse proxy?
A reverse proxy sits between client requests and your backend servers, forwarding requests and responses. It helps with load balancing, SSL termination, and improved security.

Q2: Can Caddy handle SSL automatically?
Yes! Caddy automatically provisions and renews SSL certificates using Let's Encrypt, making HTTPS setup seamless.

Q3: How do I enable HTTP/2?
Caddy enables HTTP/2 by default when using HTTPS, so no additional configuration is needed.

Q4: Can I use Caddy with other web servers?
Yes! Caddy can reverse proxy to any web server, such as Nginx, Apache, or Node.js applications.

Q5: How do I view Caddy logs?
Caddy provides access logs and error logs, which can be configured in the Caddyfile for monitoring and debugging.

If you have any more questions or need further assistance, feel free to ask!

buy me a coffe