How to Install and Configure Caddy on CentOS 7


Introduction

Caddy is an emerging web server program with native support for HTTP/2 and automatic HTTPS. With ease of use and security in mind, Caddy can be used to rapidly deploy an HTTPS-enabled site with a single config file.

Prerequisites

  • A fresh Vultr CentOS 7 x64 server instance. We will use 203.0.113.1 as an example.
  • A sudo user.
  • The server instance has been updated to the latest stable status using the EPEL YUM repo.
  • A domain example.com has been configured to point to the 203.0.113.1 server instance. See details in another Vultr tutorial.

Step 1: Install the Latest Stable Release of Caddy

On a Linux, Mac, or BSD operating system, use the following command to install the latest stable system-specific release of Caddy:

curl https://getcaddy.com | bash

When prompted, input your sudo password to finish the installation.

The Caddy binary will be installed to the /usr/local/bin directory. Use the following command to confirm:

which caddy

The output shoud be:

/usr/local/bin/caddy

For security purposes, NEVER run the Caddy binary as root. In order to give Caddy the ability to bind to privileged ports (e.g. 80, 443) as a non-root user, you need to run the setcap command as follows:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

Step 2: Configure Caddy

Create a dedicated system user: caddy and a group of the same name for Caddy:

sudo useradd -r -d /var/www -M -s /sbin/nologin caddy

Note: The user caddy created here can only be used to manage the Caddy service and cannot be used for logging in.

Create the home directory /var/www for the Caddy web server, and the home directory /var/www/example.com for your site:

sudo mkdir -p /var/www/example.comsudo chown -R caddy:caddy /var/www

Create a directory to store SSL certificates:

sudo mkdir /etc/ssl/caddysudo chown -R caddy:root /etc/ssl/caddysudo chmod 0770 /etc/ssl/caddy

Create a dedicated directory to store the Caddy config file Caddyfile:

sudo mkdir /etc/caddysudo chown -R root:caddy /etc/caddy

Create the Caddy config file named Caddyfile:

sudo touch /etc/caddy/Caddyfilesudo chown caddy:caddy /etc/caddy/Caddyfilesudo chmod 444 /etc/caddy/Caddyfilecat <<EOF | sudo tee -a /etc/caddy/Caddyfileexample.com {    root /var/www/example.com    gzip    tls admin@example.com}EOF

Note: The Caddyfile file created above is only a basic configuration for running a static website. You can learn more about how to write a Caddyfile here.

In order to facilitate the operations of Caddy, you can setup a systemd unit file for Caddy and then use systemd to manage Caddy.

Use the vi editor to create the Caddy systemd unit file:

sudo vi /etc/systemd/system/caddy.service

Populate the file:

[Unit]Description=Caddy HTTP/2 web serverDocumentation=https://caddyserver.com/docsAfter=network-online.targetWants=network-online.target systemd-networkd-wait-online.service[Service]Restart=on-abnormal; User and group the process will run as.User=caddyGroup=caddy; Letsencrypt-issued certificates will be written to this directory.Environment=CADDYPATH=/etc/ssl/caddy; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmpExecReload=/bin/kill -USR1 $MAINPID; Use graceful shutdown with a reasonable timeoutKillMode=mixedKillSignal=SIGQUITTimeoutStopSec=5s; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.LimitNOFILE=1048576; Unmodified caddy is not expected to use more than that.LimitNPROC=512; Use private /tmp and /var/tmp, which are discarded after caddy stops.PrivateTmp=true; Use a minimal /devPrivateDevices=true; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.ProtectHome=true; Make /usr, /boot, /etc and possibly some more folders read-only.ProtectSystem=full; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!ReadWriteDirectories=/etc/ssl/caddy; The following additional security directives only work with systemd v229 or later.; They further retrict privileges that can be gained by caddy. Uncomment if you like.; Note that you may have to add capabilities required by any plugins in use.;CapabilityBoundingSet=CAP_NET_BIND_SERVICE;AmbientCapabilities=CAP_NET_BIND_SERVICE;NoNewPrivileges=true[Install]WantedBy=multi-user.target

Save and quit:

:wq!

Start the Caddy service and make it automatically start on system boot:

sudo systemctl daemon-reloadsudo systemctl start caddy.servicesudo systemctl enable caddy.service

Step 3: Modify firewall rules

In order to allow visitors to access your Caddy site, you need to open ports 80 and 443:

sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=httpssudo firewall-cmd --reload

Step 4: Create a test page for your site

Use the following command to create a file named index.html in your Caddy site home directory:

echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html

Restart the Caddy service to load new contents:

sudo systemctl restart caddy.service

Finally, point your web browser to http://example.com or https://example.com. You should see the message Hello World! as expected.

Want to contribute?

You could earn up to $300 by adding new articles

Submit your article
Suggest an update
Request an article

No comments

Powered by Blogger.