4
submitted 11 months ago by amca01@alien.top to c/main@selfhosted.forum

I currently use docker-compose to manage a number of containers, and I've been using traefik as a reverse proxy and to interface with letsencrypt for management of SSH keys.

However, I've also been reading a bit about caddy, which seems like an easier alternative to traefik, in the sense of its handling wildcard certificates. All my containers have a public facing url, like this:

blog.mysite.org

mealie.mysite.org

nextcloud.mysite.org

photos.mysite.org

which I would have thought would be tailor-made for caddy. However, in my rough searches I haven't found out quite how to set up caddy to do this. I've also read (can't remember where) that this use of caddy is ok for homelab, but shouldn't be used for public facing sites.

So I just need a bit of advice - should I indeed switch to caddy, and if so, how? (All I need is a few pointers to good examples.)

Or should I stay with traefik, in which case, what is the easiest setup?

(I got some help with traefik a few years ago, but I'm having a lot of trouble now extending my current config files to manage a new container.)

I'm also very far from being a sysadmin expert, I usually flail around until something works.

Thanks!!

top 13 comments
sorted by: hot top controversial new old
[-] mrpink57@alien.top 1 points 11 months ago

https://docs.linuxserver.io/images/docker-swag/

I would tell you to entertain swag, has a lot of pre-built configs and has some integration with crowdsec and docker mods.

[-] AlternativeBasis@alien.top 1 points 11 months ago

It's not for lack of trying, but I've never really been able to successfully set up redirects in Traefik or Caddy

Even asking ChatGPT for help.

I ended up having success using Nginx Proxy Manager, which has a beautiful interactive UI. Despite running from a DockerCompose /Portainer

Now.. if only I could distill the entire configuration into a backup file..

[-] amca01@alien.top 1 points 11 months ago

It's my limited experience that nothing is easy, really, but in my case I'm looking for a solution which (a) works, and (b) is easily extendible when I add new containers.

[-] kevdogger@alien.top 1 points 11 months ago

What's not working with traefik? I like the traefik dashboard since it kind of helps troubleshoot things. I'll admit traefik isn't the easiest reverse proxy to work on at first but it clicks after a period of time. You can do wildcard certs with traefik as well

[-] amca01@alien.top 1 points 11 months ago

I have several issues with traefik: first is that I can't access the dashboard. The second is that as I was given a LOT of help setting it all up (some years ago), I've ended up with config files that I don't fully understand myself. When I tried, for example, to use traefik for certificates to protect my installation of mealie, I simply couldn't. So my mealie instance is unprotected, running just with http.

I'm getting to the stage where I'm thinking about paying for some professional sysadmin time ... As I said in my OP, I'm nowhere near competent as a sysadmin, especially with networking, and if I can get something to work, I'm thrilled and never want to touch it again, in case I break it.

[-] kevdogger@alien.top 1 points 11 months ago

Yea I get it..traefik very intimidating at first but I sware if you play around with it for a day or two like a lighbulb will just turn on..it's super confusing at first. Obtaining certs should be fairly easy and in terms of dashboard..that shouldn't be that hard to access either

[-] MylarShoe@alien.top 1 points 11 months ago

Caddy is great. The documentation is decent, but it helps to see some simple examples that you can build from. This is a writeup I did a little bit back, but it should mostly still hold true. https://reinhardt.dev/posts/caddy-server-wildcards/

[-] ItchyWeight@alien.top 0 points 11 months ago

https://github.com/lucaslorentz/caddy-docker-proxy

Been using that some time now, also for work projects. Works like a charm with only a couple of additional labels in your compose. Originally, I had also looked at Traefik but decided on caddy proxy for simplicity without loosing functionality.

[-] amca01@alien.top 1 points 11 months ago

Many thanks, that looks nice and within my limited abilities! I'll aim to try it out.

[-] giopas@alien.top 0 points 11 months ago

Here is an example of a working Caddyfile to start from.

In the first example (jelly.user.com), every query to http://jelly.user.com is automatically translated in https and handled over to http://192.168.1.10:7548.

In the second instance, you do not use https (TLS) and every query to http://well.user.com is directly passed along to the service running under http://192.168.1.13:5960.

Note that certificates are automatically handled and renewed by Caddy, giving your email address.

I also added a log for each subdomain for convenience.

I hope this is helpful.

~:/etc/caddy $ cat Caddyfile { log { output file /home/userCaddy-logs/caddy2.log } email user@user.com }

jelly.user.com { log { output file /home/user/Caddy-logs/jelly.log } encode gzip header Strict-Transport-Security max-age1536000; reverse_proxy http://192.168.1.10:7548 }

http://well.user.com { log { output file /home/user/Caddy-logs/well.log } encode gzip header Strict-Transport-Security max-age1536000; reverse_proxy http://192.168.1.13:5960 }

[-] amca01@alien.top 1 points 11 months ago

I meant to say thank you at least a day ago - so thank you very much! You've kindly provided a lot of detail, which I hope I can use for my own site. We'll see how we go... Thanks again.

[-] firess2010@alien.top 0 points 11 months ago

The documentation has a common pattern example for wildcard setup which should be spot on for your case: https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates

Also, a public facing web server is almost always a bad idea since although your reverse proxy might be secure, you must also harden any upstream application you expose through it.

I would prefer to setup a VPN to access my websites remotely.

[-] amca01@alien.top 1 points 11 months ago

Many thanks - but what is the issue with public facing web servers? I though that if protected using https, they would be as safe as needed. Using a VPN would add a complexity I'd be happy to avoid. And indeed all my sites are remote, hosted as a VPS. Now you've got me worried!

this post was submitted on 26 Nov 2023
4 points (83.3% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS