Caddy V1.0.5 简单安装 作者: Hogwarts 发布于: 2020-12-04 更新于: 2021-03-08 分类: 默认分类 Caddy v2是官方默认的安装版本,为了简单简洁,建议安装v1版本,官方已经不支持下载了,勤劳的秋水大佬编译了最新的Caddy v1.0.5,现以此版本为例简单介绍。 参考文章:`https://teddysun.com/569.html` 此文已简单的介绍了安装并后台运行,不足之处就是重启后失效,还要再次运行启动命令。增加systemctl命令,得是在root用户权限下运行,作为强迫症患者,最好用一般用户运行,故先得增加用户,配置用户群组,一系列下来好些坑。为避免再次被坑,水此篇小文。 # 一、下载并安装 下载:wget -O /usr/local/bin/caddy https://dl.lamp.sh/files/caddy_linux_amd64 给予可执行权限:chmod 755 /usr/local/bin/caddy # 二、设置用户和其群组以及必要权限 ## 2.1 检查名为caddy的组和用户是否已经存在 Caddy的service命令中默认用户为www-data,为了方便,本文改为caddy。如果强迫症可以把caddy换作www-data。 cat /etc/group | grep caddy cat /etc/passwd | grep caddy 不显示,说明其组和用户不存在(肯定不存在),则需要创建它们。 ## 2.2 创建一个专门的系统用户:caddy 和一组同名的Caddy: sudo useradd -r -d /var/www -M -s /sbin/nologin caddy 此用户只能用于管理Caddy服务,不能用于登录。 ## 2.3 创建一下放置网站文件的目录并给权限 sudo mkdir -p /var/www sudo chown -R caddy:caddy /var/www /var/www 为放置静态网站的目录 ## 2.4 创建目录存储 ssl 证书 sudo mkdir /etc/ssl/caddy sudo chown -R caddy:root /etc/ssl/caddy sudo chmod 0770 /etc/ssl/caddy ssl 文件夹里会放置私钥,所以权限设置成 770 禁止其他用户访问 密钥和证书可以用caddy自动生成也可用acme.sh手动申请,本文不再赘述。本文以已经申请完毕的为例。 ## 2.5 生产环境配置文件Caddyfile sudo mkdir /etc/caddy sudo chown -R caddy:root /etc/caddy sudo touch /etc/caddy/Caddyfile ## 2.6 创建用于存放日志的路径 mkdir /var/log/caddy chown -R caddy:root /var/log/caddy sudo chmod 0770 /var/log/caddy.log ## 2.7 Caddyfile配置 sudo chown caddy:caddy /etc/caddy/Caddyfile sudo chmod 444 /etc/caddy/Caddyfile 因给的是444权限所以是能cat输入代码到caddyfile中,所以建议给755权限,等不再报错或不再修改再改过来。 vim /etc/caddy/Caddyfile 输入以下内容: domain.com(你的域名) { gzip tls /etc/ssl/caddy/fullchain.cer /etc/ssl/caddy/private.key root /var/www } # 三、加入sytemctl实现自启动 sudo vim /etc/systemd/system/caddy.service 注意user改为了caddy,官方为www-data 填充文件: [Unit] Description=Caddy HTTP/2 web server Documentation=https://caddyserver.com/docs After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service [Service] Restart=on-abnormal ; User and group the process will run as. User=caddy Group=caddy ; Letsencrypt-issued certificates will be written to this directory. Environment=CADDYPATH=/etc/ssl/caddy ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. LimitNOFILE=1048576 ; Unmodified caddy is not expected to use more than that. LimitNPROC=512 ; Use private /tmp and /var/tmp, which are discarded after caddy stops. PrivateTmp=true ; Use a minimal /dev PrivateDevices=true ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! ReadWriteDirectories=/etc/ssl/caddy ; The following additional security directives only work with systemd v229 or later. ; They further retrict privileges that can be gained by caddy. Uncomment if you like. ; Note that you may have to add capabilities required by any plugins in use. ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE ;AmbientCapabilities=CAP_NET_BIND_SERVICE ;NoNewPrivileges=true [Install] WantedBy=multi-user.target :wq!保存并退出 启动Caddy服务并使其在系统引导时自动启动: systemctl daemon-reload systemctl start caddy.service systemctl status caddy.service systemctl enable caddy.service # 四、可能存在的问题(坑) ## **4.1 报错WARNING**: At least 8192 is recommended File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with `ulimit -n 8192`. 处方:vim /etc/security/limits.conf 在 # End of file 一行上面加入 * soft nofile 16384 * hard nofile 16384 reboot重启即可 ## **4.2 报错**:Listen: listen tcp .443: bind: permission denied**2、报错**:Listen: listen tcp .443: bind: permission denied 问题:修改caddyfile文件,caddy默认监听2015端口,改为443或80后报错. 处方:Caddy不由root用户运行,使用setcap允许caddy作为一般用户进程绑定低号端口(服务器需要80和443) setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy ## **4.3 按上面修改后,还是报错**:Listen: listen tcp.443: bind: permission denied vim /etc/systemd/system/caddy.service 把以下三行的注释取消 - `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` - `AmbientCapabilities=CAP_NET_BIND_SERVICE` - `NoNewPrivileges=true` systemctl daemon-reload systemctl restart caddy systemctl status caddy 参考文章:https://blog.k-res.net/archives/2535.html ## 4.4 关于Caddyfile的配置问题 参考此篇文章:https://onebox.site/archives/131.html 坑很多,或者说自己水平低。配置domain.com和www. domain.com监听80和443端口按教程配置不成功。比如: domain.com,www. domain.com:80 domain.com,www. domain.com: 443 能够运行,但打不开静态网站。 Ps:这种写法好像是Caddy V2的写法,迷糊了。 - 其实不用这么麻烦,可以在域名解析的时候设置域名跳转,减少配置www三级域名的问题。自行Google吧。 - 附上笨鸟的配置: http://domain.com { redir https://domain.com{uri} #http://domain.com重定向到 https://www.domain.com } http://www.domain.com { redir https://www.domain.com{uri} #http://www.domain.com重定向到 https://www.domain.com } https://domain.com { redir https://domain.com{uri} #http://www.domain.com重定向到 https://www.domain.com } https://www.domain.com { #由www.domain.com监听443端口 gzip #压缩功能 browse #稍有点用,可以配置复杂些 log /var/log/caddy/caddy.log #没啥用 tls /etc/ssl/caddy/fullchain.cer /etc/ssl/caddy/private.key #使用自己的证书 #tls 你的邮箱@gmail.com #使用Lets一键生成证书,与上一条二选一 root /var/www/html #网站根目录 header / { # 配置 HSTS(HTTP严格安全传输) Strict-Transport-Security "max-age=31536000;" } } #五、心得 放稳心态,慢慢调整。尤其是不以root用户运行时,可能存在用户权限及用户组问题,修改caddyfile文件后注意再给一次权限,防止被坑。V2ray或Xray等软件的service的启动文件中默认都是nobody用户,所以有时启动失败;而以root用户就能启动成功,就是用户组权限问题。如果您喜欢使用Docker,参考此文:`https://shiping.date/archives/19.html` 标签: caddy
评论已关闭