This repository provides a Docker-based setup for running a Caddy reverse proxy with support for internal, external, and Cloudflare-protected services. It includes automatic configuration reloading and DNS challenge support for SSL certificates.
- Reverse proxy for internal, external, and Cloudflare-protected services.
- Automatic SSL certificate management using Caddy.
- DNS challenge support for Cloudflare.
- Automatic configuration reload on changes.
- Pre-configured security headers and compression.
- Modular configuration for easy service management.
- Docker and Docker Compose installed on your system.
- A Cloudflare account (if using DNS challenge for SSL certificates).
git clone https://github.com/hueske-digital/caddy
cd caddyCopy the .env.example file to .env and fill in the required values:
cp .env.example .envCF_API_TOKEN: Your Cloudflare API token with the following permissions (can be generated using this link):- Zone / Zone / Read
- Zone / DNS / Edit
EMAIL: Your email address for SSL certificate notifications.
Proxy host configurations are located in the hosts directory. Use the provided example files as a starting point:
- Internal services:
hosts/internal/*.example - External services:
hosts/external/*.example - Cloudflare-protected services:
hosts/cloudflare/*.example
Rename the example files to .conf and customize them as needed. For example:
mv hosts/external/external.example hosts/external/my-service.confRun the following command to start the proxy:
docker compose up -dCaddy automatically validates and reloads the configuration when changes are detected. Logs can be viewed using:
docker compose logs app -fTo allow external access to your services, ensure the following ports are open and forwarded to your Docker machine:
- Port 80 (TCP): For HTTP traffic and Let's Encrypt challenges.
- Port 443 (TCP): For HTTPS traffic.
- Port 443 (UDP): For HTTP/3 traffic.
caddy/
├── build/
│ ├── Dockerfile # Custom Caddy build with plugins
│ ├── bin/
│ │ ├── entrypoint.sh # Entrypoint script for the container
│ │ └── reload.sh # Script for automatic config reload
├── hosts/
│ ├── base.conf # Base configuration for Caddy
│ ├── internal/ # Internal service configurations
│ ├── external/ # External service configurations
│ └── cloudflare/ # Cloudflare-protected service configurations
├── .env.example # Example environment variables file
├── docker-compose.yml # Docker Compose configuration
└── README.md # Project documentation
The hosts/base.conf file includes global settings such as:
- Security headers
- Compression
- Logging
- TLS configuration with Cloudflare DNS challenge
Internal services are accessible only from private IP ranges. Example configuration:
https://internal.hueske.services {
import internal
import tls
import header
handle @internal {
reverse_proxy internal-app-1:8080
}
respond 403
}
External services are publicly accessible. Example configuration:
https://external.hueske.services {
import tls
import compression
import header
reverse_proxy external-app-1:3000
}
Services behind Cloudflare are restricted to Cloudflare IP ranges. Example configuration:
https://cloudflare.hueske.services {
import cloudflare
import tls
import compression
import header
handle @cloudflare {
reverse_proxy cloudflare-app-1:3001
}
respond 403
}
This setup includes the following Caddy plugins:
- Cloudflare DNS: For DNS challenge support.
- Replace Response: For response manipulation.
The reload.sh script monitors the hosts directory for changes and reloads the Caddy configuration automatically.
- Ensure that the SSL mode in Cloudflare is set to Strict.
- Use the provided access lists (
internalandcloudflare) to restrict access to services appropriately.