Skip to main content

Caddy configuration example

This page provides a sample configuration for setting up Caddy as a reverse proxy to expose your Anapaya appliance management APIs to the CONSOLE.

Sample Caddyfile

The Caddyfile below demonstrates a setup with two appliances using path-based routing (/appliance1/* and /appliance2/*), basic authentication for the reverse proxy, ACME DNS challenge for TLS certificates, and skips TLS verification for appliances (which use self-signed certificates).

console-proxy.example.com {
    tls {
        # Configures the ACME DNS challenge, since our Caddy instance is not
        # publicly accessible. Requires a Caddy build with the
        # dns.providers.cloudflare module. Alternative options are available:
        # https://caddyserver.com/docs/automatic-https#dns-challenge
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }

    # Require all requests to use basic authentication. Alternative authentication
    # methods can be used: https://caddyserver.com/docs/modules/
    basic_auth {
        # Username "anapaya-console", password "startin-brock6malt2reserve6attract"
        anapaya-console $2a$16$FVCS3K6Y3DnesW2FlQeeQO5QBqqqkfo/2GL3oXLlGJIiTJGyOrl1e
    }

    # Common proxy settings for all appliances. Learn more about reusable snippets:
    # https://caddyserver.com/docs/caddyfile/concepts#snippets
    (proxy_settings) {
        header_up -Authorization
        header_up Authorization "Basic {args.0}"

        transport http {
            tls
            # Appliance uses self-signed certificates.
            tls_insecure_skip_verify
        }
    }

    # Handle all HTTP requests to /appliance1/* and forward to appliance 1.
    # Strip /appliance1 from the request path.
    handle_path /appliance1/* {
        reverse_proxy https://192.168.1.10:443 {
            import proxy_settings {env.APP1_AUTH_BASE64}
        }
    }

    # Handle all HTTP requests to /appliance2/* and forward to appliance 2.
    # Strip /appliance2 from the request path.
    handle_path /appliance2/* {
        reverse_proxy https://192.168.1.11:443 {
            import proxy_settings {env.APP2_AUTH_BASE64}
        }
    }
}

To learn more about Caddy configuration options, refer to the Caddy documentation. In particular, read the automatic HTTPS and reverse proxy guides. Also have a look at all the available Caddy modules for additional functionality. To find the right DNS provider module for your ACME DNS challenge, see the this post on the Caddy wiki.

For a simple test setup, you can run Caddy directly from the command line:

export CLOUDFLARE_API_TOKEN="your-cloudflare-api-token"
export APP1_AUTH_BASE64="$( echo -n 'anapaya-console:password1' | base64 )"
export APP2_AUTH_BASE64="$( echo -n 'anapaya-console:password2' | base64 )"
caddy run --config /path/to/Caddyfile

Running in production

To run Caddy in a productive environment, follow the deployment guide. Make sure to use the process that best fits your environment (e.g., systemd service, Docker container, etc.). To get the Caddy binary, you can refer to the install guide. Note that you will need to use xcaddy or the download page if you want to use the custom DNS provider modules (such as Cloudflare, AWS, Azure, GCP) for the ACME DNS challenge.

Caddy documentation

Installation and deployment

DNS providers and other modules

Community resources