Caddy v2 - update and warning

[chef 3763]

14 minutes ago, pwhodges said:

No, sorry.  But I haven't used it on Linux, which is what I tend to associate the term "socket" with.

Re "route" - that's not what it is.  Route is a directive to force a group of other directives to be handled in the order you write them rather than their default order.  What I think you're trying to write with it is what's called a "matcher", which can be part of many directives - but in almost all cases "/*" is the default anyway.  The route directive can have a matcher, but this is used to specify that the directives it controls are only used in that instance, and you might typically have multiple routes to specify different subsections of a web site.  But for that purpose you would normally use "handle", which also specifies a group of directives to be used in just some of the web site, but doesn't force an order to override the default order on them as route does.

Paul

In this example, are the "route /*" necessary then?

example.com {
	 encode zstd gzip	
	 route /*
	 handle_errors {
         rewrite * /redir-target/NoSignal404.html
		file_server
		
        }
     log	
	 file_server
     header {
	     # disable FLoC tracking
	     Permissions-Policy interest-cohort=()

	     # enable HSTS
	     Strict-Transport-Security max-age=31536000;

	     # disable clients from sniffing the media type
	     X-Content-Type-Options nosniff

	     # clickjacking protection
	     X-Frame-Options DENY

	     # keep referrer data off of HTTP connections
	     Referrer-Policy no-referrer-when-downgrade
     }

}


sub.example.com {
	route /*
	reverse_proxy 192.168.1.126:8096
    header {
	    # disable FLoC tracking
	    Permissions-Policy interest-cohort=()

	    # enable HSTS
	    Strict-Transport-Security max-age=31536000;

	    # disable clients from sniffing the media type
	    X-Content-Type-Options nosniff

	    # clickjacking protection
	    X-Frame-Options DENY

	    # keep referrer data off of HTTP connections
	    Referrer-Policy no-referrer-when-downgrade
    }
}

 

Thanks so much for your help.

[pwhodges 1649]

"Route /*" is serving no purpose in that setup, not least as it has no directives specified as the main parameter!

Also, in the first site, "log" used with no parameters is enabling just access logging to the console - is this what you mean to enable, or do you want file logging? 

And the first site also doesn't specify what files the "file_server" directive can serve! - you need to include: "root * /path/to/site/files" (N.B. in this case, the "*" matcher, although default, is required to disambiguate the path which starts with a "/" as that can also start a matcher).

Paul

[chef 3763]

It would be better to log to a text file.

I could do this in the first version of caddy, but haven't been able to get that working properly this time around.

 

 

[seanbuff 933]

9 minutes ago, chef said:

It would be better to log to a text file.

        log {
            output file C:\caddy\logs\emby_access.log {
                roll true               # Rotate logs, enabled by default
                roll_size_mb 5          # Set max size 5 MB
                roll_gzip true          # Whether to compress rolled files
                roll_local_time true    # Use localhost time
                roll_keep 2             # Keep at most 2 log files
                roll_keep_days 7        # Keep log files for 7 days
            }

The above has worked for me

[chef 3763]

48 minutes ago, seanbuff said:

        log {
            output file C:\caddy\logs\emby_access.log {
                roll true               # Rotate logs, enabled by default
                roll_size_mb 5          # Set max size 5 MB
                roll_gzip true          # Whether to compress rolled files
                roll_local_time true    # Use localhost time
                roll_keep 2             # Keep at most 2 log files
                roll_keep_days 7        # Keep log files for 7 days
            }

The above has worked for me

Oh, log is like an object. Thank you. That's super helpful.

 

 

So the only other thing that has got me confused is how 'root' points to a folder with site files. 

For instance if I had a folder which contains caddy. 

Then, a subfolder called 'main' (beside the caddy binaries), I thought that 

'root * /main' would point to it. But, I think something isn't quite right. 

maybe it's suppose to be a full path to the site files?

or maybe I have to do "./" Or ../"

Edited January 14, 2023 by chef

[pwhodges 1649]

If "main" is a subfolder you don't start the path with "/" which goes back to the base of the file system.  Try "./main", where "." means "current directory".  This is probably not necessary in Windows, but I think Linux might require it (or even Caddy's parsing might).

BTW, you could also save typing by defining your big "header" block as a "snippet" at the top of the Caddyfile, which you then simply import into each site.

Paul

[chef 3763]

Is there way to whitelist urls requesting data from one of my services through caddy?

Or is that something that my service has to handle?

 

Edit: https://stackoverflow.com/questions/66357765/caddy-v2-ip-whitelist

Yes, looks possible.

 

Edited January 14, 2023 by chef

[chef 3763]

On 1/13/2023 at 7:37 PM, seanbuff said:

        log {
            output file C:\caddy\logs\emby_access.log {
                roll true               # Rotate logs, enabled by default
                roll_size_mb 5          # Set max size 5 MB
                roll_gzip true          # Whether to compress rolled files
                roll_local_time true    # Use localhost time
                roll_keep 2             # Keep at most 2 log files
                roll_keep_days 7        # Keep log files for 7 days
            }

The above has worked for me

are you missing a curly brace in that example @seanbuff.

EDIT: I was able to get this working by removing the localhost_time, and adding the brace. FOr some reason caddy didn't allow me to add the local_host time. 

    log {
            output file "C:/Caddy 2/logs/emby/access.log" {
                roll true               # Rotate logs, enabled by default
                roll_size_mb 5          # Set max size 5 MB
                roll_gzip true          # Whether to compress rolled files                
                roll_keep 2             # Keep at most 2 log files
                roll_keep_days 7        # Keep log files for 7 days
            } 
	}

 

Edited January 15, 2023 by chef

[chef 3763]

17 hours ago, pwhodges said:

BTW, you could also save typing by defining your big "header" block as a "snippet" at the top of the Caddyfile, which you then simply import into each site.

Paul

So, this right here was an invaluable piece of information thank you!

(headers) {
	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()

		# enable HSTS
		Strict-Transport-Security max-age=31536000;

		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff

		# clickjacking protection
		X-Frame-Options DENY

		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer-when-downgrade
	}
}

example.com {
	 
    # use the snippet here to add headers!
	header import headers

}

Seems to work as far as I can see.

[seanbuff 933]

5 hours ago, chef said:

are you missing a curly brace in that example

Correct, I just pulled out that snippet from a bigger config and missed that last brace. But I knew you're a clever guy so would have no issues 

[kikinjo 179]

@pwhodges this is getting more interesting.  tested my emby web for all suppoorted protocols...using online tools / web checkers. Results are all supported http1, http2 even http3 is working (after i opened udp port). But all emby clients web, andorid, windows..whatewver..when they connect they are http1, at least in emby web dashboard.

[rbjtech 4588]

1 hour ago, kikinjo said:

@pwhodges this is getting more interesting.  tested my emby web for all suppoorted protocols...using online tools / web checkers. Results are all supported http1, http2 even http3 is working (after i opened udp port). But all emby clients web, andorid, windows..whatewver..when they connect they are http1, at least in emby web dashboard.

Are you using https from the RP internal connection to the local emby web server ?

[kikinjo 179]

7 minutes ago, rbjtech said:

Are you using https from the RP internal connection to the local emby web server ?

Nope, only from client to caddy is https. I mentioned that in first posts.

[rbjtech 4588]

2 minutes ago, kikinjo said:

Nope, only from client to caddy is https. I mentioned that in first posts.

ok - so that's why then.  For http2/3 - as the emby web server serves http2 only with https - then it will be falling back to http1.

If you have a https connection from the RP to Emby - then I believe it should be delivered via http2.

As a test I did a while back, using a direct connection (no RP), an external https connection got delivered using http2.  Any internal connection via http, got delivered via http1.

[kikinjo 179]

Thanks rbjtech for explanation.

[Riddler84 44]

On 1/17/2023 at 6:59 PM, rbjtech said:

If you have a https connection from the RP to Emby - then I believe it should be delivered via http2.

Any idea how to achieve this with Caddy?

[pwhodges 1649]

Create or acquire an appropriate certificate for the Emby server, install it in Emby and use https for the proxy backend.

If your Emby is on a separate machine, you could install Caddy on that as well, with an http/1 link to localhost, and use this article to create an https link between the two Caddy servers - that would at least encrypt your data travelling in your local network.  (j/k - I mean, you could...)

But why do you want to?  Http/1 probably gives you marginally better performance (I'd be surprised if you noticed, though), and if you want https because you consider your local network insecure you've other matters to worry about before your Emby setup.

Paul

[Gecko 66]

Just adding my 2 cents for the posterity 

19 hours ago, pwhodges said:

Create or acquire an appropriate certificate for the Emby server, install it in Emby and use https for the proxy backend.

If your Emby is on a separate machine, you could install Caddy on that as well, with an http/1 link to localhost, and use this article to create an https link between the two Caddy servers - that would at least encrypt your data travelling in your local network.  (j/k - I mean, you could...)

Paul

This is exactly what I did (without the second caddy proxy). I connected Emby (through https port) with caddy. Each one are on 2 different machines (so that the one hosting emby can sleep and be awaken by the proxy whenever needed). At first, I installed nginx and it was ok but not great. I wanted to try out http/2 (https) which Caddy can provide to try to solve a bug I had with safari. Turns out the situation is far better but still not ideal so I will currently stay with Caddy (which I set up in merely 1 hour instead of days of document reading for nginx).

But why do you want to?  Http/1 probably gives you marginally better performance (I'd be surprised if you noticed, though), and if you want https because you consider your local network insecure you've other matters to worry about before your Emby setup.

Performance wise, Caddy is a little bit faster using http/1.1 to connect Emby instead of http/2. (on my setup the chrome dev tools tells me that on average, a single .ts request of 20Mo is received ~100ms faster using http/1.1 compared to http/2. On wired and local connection. In the end of the day, I sense that http/2 seems more reliable for me. Maybe if Emby could serve http/2 requests without tls, the situation would be inverted, but I'm sure that's not an important tasks to tackle for the devs right now.

 

@pwhodges, did you set up anything special in Caddyfile for Emby or left the default behaviour of Caddy?

[Gecko 66]

For those interested, here's my actual Caddyfile for Emby.

I've set it up with this facultative plugin that geo-filter incoming requests.

Both http and https requests to emby are available if needed. I experimented special directive about buffering and response flushing, but so far, keeping the default values and behavior of Caddy seems to be the best for me.

Caddyfile

[chef 3763]

24 minutes ago, Gecko said:

For those interested, here's my actual Caddyfile for Emby.

I've set it up with this facultative plugin that geo-filter incoming requests.

Both http and https requests to emby are available if needed. I experimented special directive about buffering and response flushing, but so far, keeping the default values and behavior of Caddy seems to be the best for me.

Caddyfile 4.33 kB · 2 downloads

cool. So did you have to sign up for GeoIP2?

 

[kikinjo 179]

Gecko, is this caddy v1 config or v2?

I was just googling about geo ip blocking with caddy and trying to implement it. Cheers

[Gecko 66]

15 minutes ago, chef said:

cool. So did you have to sign up for GeoIP2?

 

Yes it’s free of charge at the country level and the best is that I just noticed on Caddy plugin page that another plugin allows to automatically recover the file for you every week.

 

3 minutes ago, kikinjo said:

Gecko, is this caddy v1 config or v2?

I was just googling about geo ip blocking with caddy and trying to implement it. Cheers

It’s V2

[kikinjo 179]

gecko, on caddy download page i see caddy plus plugins download in one package. I m already running caddy, how to add this plugin / download now in my running caddy ?

Cheers

[pwhodges 1649]

1 hour ago, Gecko said:

@pwhodges, did you set up anything special in Caddyfile for Emby or left the default behaviour of Caddy?

Completely default.

9 minutes ago, kikinjo said:

I'm already running caddy, how to add this plugin / download now in my running caddy ?

You can't (Caddy runs as a single .exe).  Just rebuild your usual version with the added plugin - that way you're also completely up to date.

Paul

[Gecko 66]

38 minutes ago, kikinjo said:

gecko, on caddy download page i see caddy plus plugins download in one package. I m already running caddy, how to add this plugin / download now in my running caddy ?

Cheers

Like pwhodges said, build yourself your image with the required plugins. I personally use docker and followed what's on the docker hub page using xcaddy command to add plugins.

 

FROM caddy:<version>-builder AS builder

RUN xcaddy build \
    --with github.com/caddyserver/nginx-adapter \
    --with github.com/hairyhenderson/caddy-teapot-module@v0.0.3-0

FROM caddy:<version>

COPY --from=builder /usr/bin/caddy /usr/bin/caddy