猿教程 Logo

如何在Ubuntu 16.04上托管与Caddy的网站 (How To Host a Website with Caddy on Ubuntu 16.04)


Introduction

Caddy is a new web server created with ease of use in mind. It's simple enough to be used as a quick development server and robust enough to be used in production environments.

It features an intuitive configuration file, HTTP/2 support, and automatic TLS encryption. HTTP/2 is the new version of the HTTP protocol that makes websites faster by using single connection for transferring multiple files and header compression among other features. TLS is used to serve websites encrypted over a secure connection and, while it has been widely adopted on the Internet, it's often a hassle to get and install certificates manually.

Caddy integrates closely with Let's Encrypt, a certificate authority which provides free TLS/SSL certificates and automatically obtains and renews the certificates when needed. In other words, every website that Caddy serves can be automatically served over a secure connection with no additional configuration or action necessary.

In this tutorial, you will install and configure Caddy. After following this tutorial, you will have a simple working website served using HTTP/2 and a secure TLS connection.


Prerequisites

To follow this tutorial, you will need:

  • One Ubuntu 16.04 server set up with this initial server setup tutorial, including a sudo non-root user and a firewall.
  • A domain name configured to point to your server. This is necessary for Caddy to obtain an SSL certificate for the website; without using a proper domain name, the website will not be served securely with TLS encryption. You can learn how to point domains to DigitalOcean Droplets by following the How To Set Up a Host Name with DigitalOcean tutorial.

Step 1 — Installing the Caddy Binaries

The Caddy project provides an installation script that will retrieve and install the Caddy server's binary files. To execute it, type:

$ curl -s https://getcaddy.com | bash
curl -s https://getcaddy.com | bash

You can view the script by visiting https://getcaddy.com in your browser or downloading the file with wget or curl before you execute it.

During the installation, the script will use sudo to gain administrative privileges in order to put Caddy files in system-wide directories, so it might prompt you for a password.

The command output will look like this:

Caddy installation script output
       Downloading Caddy for linux/amd64...
https://caddyserver.com/download/build?os=linux&arch=amd64&arm=&features=
Extracting...
Putting caddy in /usr/local/bin (may require password)
[sudo] password for sammy:
Caddy 0.9.5
Successfully installed

After the script finishes, the Caddy binaries are installed on the server and ready to use. You can verify that Caddy binaries have been put in place by using which to check their location.

$ which caddy
which caddy

The command output will say that the Caddy binary can be found in /usr/local/bin/caddy.

Caddy does not create any system-wide configuration during installation and does not install itself as a service, which means it won't start up automatically during boot. In the next two steps, we'll create the files Caddy needs to function and install its service file.


Step 2 — Setting Up Necessary Directories

Caddy's automatic TLS support and unit file (which we'll install in the next step) expect particular directories and files to exist with specific permissions. We'll create them all in this step.

First, create a directory that will house the main Caddyfile, which is a configuration file that tells Caddy what websites should it serve and how.

$ sudo mkdir /etc/caddy
sudo mkdir /etc/caddy

Change the owner of this directory to the root user and its group to www-data so Caddy can read it.

$ sudo chown -R root:www-data /etc/caddy
sudo chown -R root:www-data /etc/caddy

In this directory, create an empty Caddyfile which we'll edit later.

$ sudo touch /etc/caddy/Caddyfile
sudo touch /etc/caddy/Caddyfile

Create another directory in /etc/ssl. Caddy needs this to store the SSL private keys and certificates that it automatically obtains from Let's Encrypt.

$ sudo mkdir /etc/ssl/caddy
sudo mkdir /etc/ssl/caddy

Caddy needs to be able to write to this directory when it obtains the certificate, so make the owner the www-data user . You can leave the group as root, unchanged from the default:

$ sudo chown -R www-data:root /etc/ssl/caddy
sudo chown -R www-data:root /etc/ssl/caddy

Then make sure no one else can read those files by removing all the access rights for others.

$ sudo chmod 0770 /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

The final directory we need to create is the one where the website itself will be published. We will use /var/www, which is customary and also the default path when using other web servers, like Apache or Nginx.

$ sudo mkdir /var/www
sudo mkdir /var/www

This directory should be completely owned by www-data.

$ sudo chown www-data:www-data /var/www
sudo chown www-data:www-data /var/www

You have now prepared the necessary environment for Caddy to run. In the next step, we will configure Caddy as a system service to ensure it starts with system boot and can be managed with systemctl.


Step 3 — Installing Caddy as a System Service

While Caddy does not install itself as a service, the project provides an official systemd unit file. This file does assume the directory structure we set up in the previous step, so make sure your configuration matches.

Download the file from the official Caddy repository. The additional -o parameter to the curl command will save the file in the /etc/systemd/system/ directory and make it visible to systemd.

$ sudo curl -s https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service -o /etc/systemd/system/caddy.service
sudo curl -s https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service -o /etc/systemd/system/caddy.service

Make systemd aware of the new service file.

$ sudo systemctl daemon-reload
sudo systemctl daemon-reload

Then, enable Caddy to run on boot.

$ sudo systemctl enable caddy.service
sudo systemctl enable caddy.service

You can verify that the service has been properly loaded and enabled to start on boot by checking its status.

$ sudo systemctl status caddy.service
sudo systemctl status caddy.service

The output should look as follows:

Caddy service status output
       ● caddy.service - Caddy HTTP/2 web server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: https://caddyserver.com/docs

Specifically, it says that the service is loaded and enabled, but it is not yet running. We will not start the server just yet because the configuration is still incomplete.

You have now configured Caddy as a system service which will start automatically on boot without the need to run it manually. Next, we'll allow web traffic through the firewall.


Step 4 — Allowing HTTP and HTTPS Connections

Because Caddy wasn't installed using APT (Ubuntu's package manager), UFW has no way to know how to manage rules for it. We'll add those rules manually here.

Caddy serves websites using HTTP and HTTPS protocols, so we need to allow access to the appropriate ports in order to make Caddy available from the internet.

$ sudo ufw allow http
$ sudo ufw allow https
sudo ufw allow http

        sudo ufw allow https

Both commands, when run, will output the following success messages:

UFW output
       Rule added
Rule added (v6)

This will allow Caddy to serve websites to the visitors freely. In the next step, we will create a sample web page and update the Caddyfile to serve it in order to test the Caddy installation.


Step 5 — Creating a Test Web Page and a Caddyfile

Let's start by creating a very simple HTML page which will display a plain Hello World! message. This command will create an index.html file in the website directory we created earlier with just the one line of text,

Hello World!

, inside.

$ echo '

Hello World!

' | sudo tee /var/www/index.html echo '

Hello World!

' | sudo tee /var/www/index.html

Next, we'll fill out the Caddyfile. The Caddyfile, in its simplest form, consists of one or more server blocks which each define the configuration for a single website. A server block starts with an address definition and is followed by curly braces. Inside the curly braces, you can include configuration directives to apply to that website.

An address definition is specified in the form protocol://host:port. Caddy will assume some defaults by itself if you leave some fields blank. For example, if you specify the protocol but not the port, the latter will be automatically derived (i.e. port 80 is assumed for HTTP, and port 443 is assumed for HTTPS). The rules governing the address format are described in-depth in the official Caddyfile documentation.

Open the Caddyfile you created in Step 2 using nano or your favorite text editor.

$ sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile

Paste in the following contents:

http:// {
    root /var/www
    gzip
}

Then save the file and exit. Let's explain what this specific Caddyfile does.

Here, we're using http:// for the address definition. This tells Caddy it should bind to port 80 and serve all requests using plain HTTP protocol (without TLS encryption), regardless of the domain name used to connect to the server. This will allow you to access the websites Caddy is hosting using your server's IP address.

Inside the curly braces of our server block, there are two directives:

  • The root directive tells Caddy where the website files are located. In our example, it's /var/www, where we created the test page.
  • The gzip directive tells Caddy to use Gzip compression to make the website faster. It does not need additional configuration.

Once the configuration file is ready, start the Caddy service.

$ sudo systemctl start caddy
sudo systemctl start caddy

We can now test if the website works. For this you use your server's public IP address. If you do not know your server's IP address, you can get it with curl -4 icanhazip.com. Once you have it, visit http://your_server_ip in your favorite browser to see the Hello World! website.

This means your Caddy installation is working correctly. In the next step, you will enable a secure connection to your website with Caddy's automatic TLS support.


Step 6 — Configuring Automatic TLS

One of the main features that distinguishes Caddy from other web servers is its ability to automatically request and renew TLS certificates from Let's Encrypt, a free certificate authority (CA). In addition, setting Caddy up to automatically serve websites over secure connection only requires a one line change in the Caddyfile.

Caddy takes care of enabling secure HTTPS connection for all configured server blocks and obtaining necessary certificates automatically, assuming some requirements are met by the server blocks configuration.

In order for TLS to work, the following requirements must be met:

  • Caddy must be able to bind itself to port 443 for HTTPS, and the same port must be accessible from the internet.
  • The protocol must not be set to HTTP, the port must not be not set to 80, and TLS must not be explicitly turned off or overridden with other settings (e.g. with the tls directive in the server block).
  • The hostname must be valid domain name; it must not not empty or set to localhost or an IP address. This is necessary because Let's Encrypt can only issue certificates to valid domain names.
  • Caddy must know the email address that can be used for key recovery with Let's Encrypt.

If you've been following this tutorial, the first requirement is already met. However, the current server block address is configured simply as http://, defining a plain HTTP scheme with no encryption as well as no domain name. We have also not provided Caddy with an e-mail address which Let's Encrypt requires when requesting for a certificate. If the address is not supplied in the configuration, Caddy asks for it during startup. However, because Caddy is installed as a system service, it cannot ask questions during startup and in the result it will not start properly at all.

To fix this, open the Caddyfile for editing again.

$ sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile

First, replace the address definition of http:// with your domain. This removes the insecure connection forced by HTTP and provides a domain name for the TLS certificate. Second, provide Caddy with an email address using the tls directive inside the server block.

The modified Caddyfile should look as follows, with your domain and email address substituted in:

example.com {
    root /var/www
    gzip
    tls sammy@example.com
}

Save the file and exit the editor. To apply the changes, restart Caddy.

$ sudo systemctl restart caddy
sudo systemctl restart caddy

Now direct your browser to https://example.com to verify if the changes were applied correctly. If so, you should once again see the Hello World! page. This time you can check that the website is served with HTTPS by looking at the URL or for a lock symbol in the URL bar.


Conclusion

You have now configured Caddy to properly serve your website over a secure TLS connection. It will automatically obtain and renew certificates from Let's Encrypt, serve your site over a secure connection using the newer HTTP/2 protocol, and reduce loading time by using gzip compression.

This is a simple example to get started with Caddy. You can read more about Caddy's unique features and configuration directives for the Caddyfile in the official Caddy documentation.

介绍

Caddy是一种新的Web服务器,易于使用。 它很简单,可以用作快速开发服务器,足够强大,可以在生产环境中使用。

它具有直观的配置文件,HTTP / 2支持和自动TLS加密功能。 HTTP / 2是新版本的HTTP协议,通过使用单个连接来传输多个文件和头压缩等功能,使网站更快速。 TLS用于为通过安全连接加密的网站提供服务,而在互联网上被广泛采用时,通常手动获取和安装证书是一件麻烦。

凯迪与Let's Encrypt密切合作,认证机构提供免费的TLS / SSL证书,并在需要时自动获得和更新证书。 换句话说,Caddy所服务的每个网站都可以通过安全连接自动提供服务,无需额外的配置或操作。

在本教程中,您将安装和配置Caddy。 遵循本教程后,您将使用HTTP / 2和安全的TLS连接提供一个简单的工作网站。


先决条件

要遵循本教程,您将需要:

  • 一个Ubuntu 16.04服务器设置了此初始服务器设置教程,包括sudo非root用户和防火墙。
  • 配置为指向服务器的域名。 这对于Caddy获取网站的SSL证书是必要的; 不使用正确的域名,该网站将不会安全地使用TLS加密。 您可以通过遵循如何使用DigitalOcean设置主机名来了解如何将域指向DigitalOcean Droplet。

步骤1 - 安装球童二进制文件

Caddy项目提供了一个安装脚本,可以检索和安装Caddy服务器二进制文件。 要执行它,请键入:

$ curl -s https://getcaddy.com | bash
curl -s https://getcaddy.com | bash

您可以在浏览器中访问https://getcaddy.com或者在执行之前使用wget或curl下载文件来查看脚本。

在安装过程中,脚本将使用sudo来获取管理权限,以便将Caddy文件放在系统范围的目录中,因此可能会提示您输入密码。

命令输出将如下所示:

Caddy installation script output
       Downloading Caddy for linux/amd64...
https://caddyserver.com/download/build?os=linux&arch=amd64&arm=&features=
Extracting...
Putting caddy in /usr/local/bin (may require password)
[sudo] password for sammy:
Caddy 0.9.5
Successfully installed

脚本完成后,该服务器上安装了二进制代码,可以使用。 您可以通过使用哪一个来检查他们的位置,来验证球童二进制文件的位置。

$ which caddy
which caddy

命令输出将说明可以在/ usr / local / bin / cddy中找到Caddy二进制文件。

Caddy在安装过程中不会创建任何系统范围的配置,并且不会将其自身安装为服务,这意味着它在启动过程中不会自动启动。 在接下来的两个步骤中,我们将创建Caddy需要的文件,并安装其服务文件。


步骤2 - 设置必要的目录

Caddy的自动TLS支持和单元文件(我们将在下一步安装)期望特定的目录和文件存在具体的权限。 我们将在这一步中创建它们。

首先,创建一个目录,该目录将容纳主要的Caddyfile,这是一个配置文件,告诉Caddy哪些网站应该服务,以及如何。

$ sudo mkdir /etc/caddy
sudo mkdir /etc/caddy

将该目录的所有者更改为root用户及其组到www-data,以便Caddy可以读取它。

$ sudo chown -R root:www-data /etc/caddy
sudo chown -R root:www-data /etc/caddy

在此目录中,创建一个空的Caddyfile,稍后我们将进行编辑。

$ sudo touch /etc/caddy/Caddyfile
sudo touch /etc/caddy/Caddyfile

在/ etc / ssl中创建另一个目录。 凯蒂需要这个来存储从我们加密中自动获得的SSL私钥和证书。

$ sudo mkdir /etc/ssl/caddy
sudo mkdir /etc/ssl/caddy

当获取证书时,Caddy需要能够写入该目录,所以使所有者成为www-data用户。 您可以将组留作root,与默认值不变:

$ sudo chown -R www-data:root /etc/ssl/caddy
sudo chown -R www-data:root /etc/ssl/caddy

然后确保没有人可以通过删除其他人的所有访问权限来读取这些文件。

$ sudo chmod 0770 /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

我们需要创建的最终目录是网站本身将被发布的目录。 我们将使用/ var / www,这是习惯的,也是使用其他Web服务器(如Apache或Nginx)时的默认路径。

$ sudo mkdir /var/www
sudo mkdir /var/www

该目录应完全由www-data拥有。

$ sudo chown www-data:www-data /var/www
sudo chown www-data:www-data /var/www

你现在已经为Caddy准备了必要的环境。 在下一步中,我们将配置Caddy作为系统服务,以确保系统启动,并可以使用systemctl进行管理。


步骤3 - 安装凯迪作为系统服务

当Caddy不将自己安装为服务时,该项目提供了一个官方的systemd单元文件。 该文件确实假定我们在上一步中设置的目录结构,因此请确保您的配置匹配。

从官方的Caddy存储库下载文件。 curl命令的附加-o参数会将该文件保存在/ etc / systemd / system /目录中,并使其对systemd可见。

$ sudo curl -s https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service -o /etc/systemd/system/caddy.service
sudo curl -s https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service -o /etc/systemd/system/caddy.service

使systemd了解新的服务文件。

$ sudo systemctl daemon-reload
sudo systemctl daemon-reload

然后,启用Caddy在启动时运行。

$ sudo systemctl enable caddy.service
sudo systemctl enable caddy.service

您可以通过检查其状态来验证服务是否已正确加载并启用。

$ sudo systemctl status caddy.service
sudo systemctl status caddy.service

输出应如下所示:

Caddy service status output
       ● caddy.service - Caddy HTTP/2 web server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: https://caddyserver.com/docs

具体来说,它表示该服务已加载并启用,但尚未运行。 我们不会启动服务器,因为配置仍然不完整。

您现在已将Caddy配置为系统服务,将在启动时自动启动,而无需手动运行。 接下来,我们将允许通过防火墙的Web流量。


步骤4 - 允许HTTP和HTTPS连接

因为Caddy没有使用APT(Ubuntu软件包管理器)安装,所以UFW无法知道如何管理它。 我们将手动添加这些规则。

Caddy使用HTTP和HTTPS协议提供网站,因此我们需要允许访问相应的端口,以便使网路从网路上获得。

$ sudo ufw allow http
$ sudo ufw allow https
sudo ufw allow http

        sudo ufw allow https

这两个命令在运行时将输出以下成功消息:

UFW output
       Rule added
Rule added (v6)

这样可以让凯迪自由地向访客提供网站。 在下一步中,我们将创建一个示例网页,并更新Caddyfile以进行服务,以测试Caddy的安装。


步骤5 - 创建一个测试网页和一个球童文件

我们先来创建一个非常简单的HTML页面,它将显示一个简单的Hello World! 信息。 此命令将在前面创建的网站目录中创建一个index.html文件,只需一行文本

Hello World!

$ echo '

Hello World!

' | sudo tee /var/www/index.html echo '

Hello World!

' | sudo tee /var/www/index.html

接下来,我们将填写Caddyfile。 Caddyfile以其最简单的形式由一个或多个服务器块组成,每个服务器块定义单个网站的配置。 服务器块以地址定义开始,后跟大括号。 在大括号内,您可以包含配置指令来应用于该网站。

地址定义以协议:// host:port的形式指定。 如果您将某些字段留空,Caddy将自行承担一些默认值。 例如,如果您指定协议而不是端口,则会自动导出(即端口80为HTTP,端口443为HTTPS)。 管理地址格式的规则在官方的Caddyfile文档中有详细描述。

打开您在步骤2中使用nano或您最喜爱的文本编辑器创建的Caddyfile。

$ sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile

粘贴以下内容:

http:// {
    root /var/www
    gzip
}

然后保存文件并退出。 我们来解释一下这个具体的Caddyfile。

在这里,我们使用http://作为地址定义。 这告诉Caddy它应该绑定到端口80,并使用纯HTTP协议(无TLS加密)提供所有请求,而不管用于连接到服务器的域名。 这将允许您使用服务器的IP地址访问Caddy正在托管的网站。

在我们服务器块的大括号内,有两个指令:

  • 根指令告诉Caddy网站文件所在的位置。 在我们的示例中,它是/ var / www,在那里我们创建了测试页面。
  • gzip指令告诉Caddy使用Gzip压缩来使网站更快。 它不需要额外的配置。

配置文件准备就绪后,启动Caddy服务。

$ sudo systemctl start caddy
sudo systemctl start caddy

我们现在可以测试网站的工作原理。 为此,您可以使用服务器的公共IP地址。 如果您不知道您的服务器的IP地址,可以使用curl -4 icanhazip.com获取。 一旦你有了,请访问你最喜欢的浏览器中的http:// your_server_ip,看看Hello World! 网站。

这意味着您的Caddy安装工作正常。 在下一步中,您将启用与Caddy自动TLS支持的安全连接到您的网站。


步骤6 - 配置自动TLS

将Caddy与其他Web服务器区分开来的主要功能之一就是能够通过免费认证中心(CA)的Let's Encrypt自动请求和更新TLS证书。 另外,将Caddy设置为通过安全连接自动提供网站只需要在Caddyfile中进行一行更改。

考虑到服务器块配置满足某些要求,Caddy负责为所有已配置的服务器块启用安全HTTPS连接并自动获取必要的证书。

为了使TLS工作,必须满足以下要求:

  • Caddy必须能够将其绑定到端口443用于HTTPS,并且必须可以从互联网访问相同的端口。
  • 该协议不能设置为HTTP,端口不能不设置为80,并且不能使用其他设置(例如,服务器块中的tls指令)显式关闭或覆盖TLS。
  • 主机名必须是有效的域名; 它不能不空或设置为localhost或IP地址。 这是必要的,因为我们加密只能颁发证书到有效的域名。
  • 凯蒂必须知道可以用于密钥恢复的电子邮件地址,让我们加密。

如果您一直在遵循本教程,则第一个要求已经满足。 但是,当前的服务器块地址被简单地配置为http://,定义了没有加密的纯HTTP方案以及没有域名。 我们还没有为Caddy提供一个电子邮件地址,让我们加密需要在申请证书。 如果配置中没有提供地址,则Caddy在启动过程中会要求它。 但是,由于Caddy作为系统服务安装,所以在启动过程中不能提出问题,结果将无法正常启动。

要解决此问题,请再次打开Caddyfile进行编辑。

$ sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile

首先,用你的域替换http://的地址定义。 这将消除HTTP强制的不安全连接,并提供TLS证书的域名。 其次,使用服务器块内的tls指令为Caddy提供电子邮件地址。

修改后的Caddyfile应该如下,您的域名和电子邮件地址替换为:

example.com {
    root /var/www
    gzip
    tls sammy@example.com
}

保存文件并退出编辑器。 要应用更改,请重新启动Caddy。

$ sudo systemctl restart caddy
sudo systemctl restart caddy

现在将您的浏览器引导到https://example.com,以验证更改是否正确应用。 如果是这样,你应该再次看到Hello World! 页。 这次您可以通过查看网址或网址栏中的锁定符号来检查网站是否通过HTTPS提供。


结论

您现在已经配置了Caddy通过安全的TLS连接正确地为您的网站提供服务。 它将自动获取和续订“加密”证书,并通过使用较新的HTTP / 2协议的安全连接为您的站点提供服务,并通过使用gzip压缩来减少加载时间。

这是一个简单的例子来开始使用凯迪。 您可以在Caddy的官方文档中了解Caddy独特的功能和配置指令。