作者: ken

Caddyfile 的四種使用情境

No Comments

共用的設定

  • 本地端的 8080 port 規劃上做為基本測試用。文件路徑設定在 /var/web/html
  • 本地端的 8081 port,就用作 phpmyadmin 的管理頁
  • 所以建議每一種 Caddyfile 都可加入這兩個區塊
  • 另外,筆者有 waterfalls.ddns.net 及 wearbiz.ddns.net 兩支 hostname,故至少會有這兩個區塊;透過不同的 hostname 及可以不同的 document root 來彈性化內容存取。
# for general purpose tests
localhost:8080 {
    tls off
    root /var/web/html

    #log /var/log/caddy/test_access.log
    #errors /var/log/caddy/test_errors.log

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php
}


# for phpmyadmin
localhost:8081 {
    tls off
    root /var/web/dbadmin

    #log /var/log/caddy/dbadmin_access.log
    #errors /var/log/caddy/dbadmin_errors.log

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php
}

情境一:本機架設 caddy web server 且啟用 TLS 認證

  • 請留意,TLS someone@gmail.com,須改成您個人的 email address
  • 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
# http redirects to https for both waterfalls and wearbiz
https://waterfalls.ddns.net, http://wearbiz.ddns.net {
    redir https://{host}{uri}
}


# for wordpress, waterfalls, root is ./wordpress
# TLS ON
https://waterfalls.ddns.net {

    # suggest to uncomment for staging tests before official use
    tls someone@gmail.com    #{
        #ca https://acme-staging-v02.api.letsencrypt.org/directory
    #}

    #log /var/log/caddy/waterfalls_access.log
    #errors /var/log/caddy/waterfalls_errors.log

    root /var/web/wordpress

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php

    # Prevent malicious PHP uploads from running
    rewrite {
        r /uploads\/(.*)\.php
        to /
    }
    rewrite {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?{query}
    }
}


# for wordpress, wearbiz, root is ./wp
# TLS ON
https://wearbiz.ddns.net {

    # suggest to uncomment for staging tests before official use
    tls someone@gmail.com    #{
        #ca https://acme-staging-v02.api.letsencrypt.org/directory
    #}

    #log /var/log/caddy/wearbiz_access.log
    #errors /var/log/caddy/wearbiz_errors.log

    root /var/web/wp

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php

    # Prevent malicious PHP uploads from running
    rewrite {
        r /uploads\/(.*)\.php
        to /
    }
    rewrite {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?{query}
    }
}

情境二:VM 單純提供內容,故本機必須是 TLS on reverse proxy

  • VM 架設了 caddy web server,關閉 TLS 認證,只單純做內容存取
  • 本機就必須有 TLS 認證,故必須架設 caddy web server 用來當 reverse proxy,由它來提供 TLS
  • VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
  • 請留意,TLS someone@gmail.com,須改成您個人的 email address
  • 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)

本機端

# locally mapping/redirect 80 port to 1025 port
# for waterfalls & wearbiz
https://waterfalls.ddns.net, http://wearbiz.ddns.net {
    #log /var/log/caddy/proxy80_access.log
    #errors /var/log/caddy/proxy80_errors.log

    proxy / http://localhost:1025 {
        transparent
    }
}


# locally mapping/redirect 443 port to 1026 port
# for waterfalls & wearbiz
# TLS ON
https://waterfalls.ddns.net, https://wearbiz.ddns.net {
    #log /var/log/caddy/proxy443_access.log
    #errors /var/log/caddy/proxy443_errors.log

    # suggest to uncomment for staging tests before official use
    tls someone@gmail.com    #{
        #ca https://acme-staging-v02.api.letsencrypt.org/directory
    #}

    proxy / http://localhost:1026 {
        insecure_skip_verify
        transparent
    }
}

VM 端

# for wordpress, waterfalls, root is ./wordpress
# no TLS
https://waterfalls.ddns.net, https://waterfalls.ddns.net {

    tls off
    root /var/web/wordpress

    #log /var/log/caddy/waterfalls_access.log
    #errors /var/log/caddy/waterfalls_errors.log

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php

    # Prevent malicious PHP uploads from running
    rewrite {
        r /uploads\/(.*)\.php
        to /
    }
    rewrite {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?{query}
    }
}


# for wordpress, wearbiz, root is ./wp
# no TLS
http://wearbiz.ddns.net, https://wearbiz.ddns.net {

    tls off
    root /var/web/wp

    #log /var/log/caddy/wearbiz_access.log
    #errors /var/log/caddy/wearbiz_errors.log

    # PHP-FPM Configuration for Caddy
    fastcgi / /run/php/php7.3-fpm.sock php

    # Prevent malicious PHP uploads from running
    rewrite {
        r /uploads\/(.*)\.php
        to /
    }
    rewrite {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?{query}
    }
}

情境三:VM 提供內容且啟用 TLS 認證,故本機必須是單純的 redirect(v) 或 caddy reverse proxy

  • VM 架設了啟用 TLS 認證的 caddy web server
  • 本機的方法之一是做本地端的埠映射,從 localhost port A redirect to localhost port B
  • 來源埠必須未被佔用(即例如須停用本機的 web server),下達以下二行命令
  • 本機端:
  • sudo socat TCP4-LISTEN:80,fork TCP4:localhost:1025 &
  • sudo socat TCP4-LISTEN:443,fork TCP4:localhost:1026 &
  • VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
  • 請留意,TLS someone@gmail.com,須改成您個人的 email address
  • 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)

VM 端

# 同情境一

情境四:VM 提供內容且啟用 TLS 認證,故本機必須是單純的 redirect 或 caddy reverse proxy(v)

  • VM 架設了啟用 TLS 認證的 caddy web server
  • 本機的方法之二是 caddy web server 做為單純的 reverse proxy
  • VM 端:
  • 同情境一
  • VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
  • 請留意,TLS someone@gmail.com,須改成您個人的 email address
  • 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
  • 不幸地,此情境失敗待解 XD

主機端

https://waterfalls.ddns.net {
    proxy / http://localhost:1025 {
        transparent
    }
}


https://waterfalls.ddns.net {

    tls off

    #tls someone@gmail.com {
        #ca https://acme-staging-v02.api.letsencrypt.org/directory
    #}

    proxy / http://localhost:1026 {
        insecure_skip_verify
        transparent
    }
}

後記

  • 非常重要:
  • wordpress 自己也會有 redirect 導向行為。因此在配置完 Caddyfile 後測試,務必先只以簡單的 php 檔案做為存取目的。例如,http(s)://waterfalls.ddns.net/phpinfo.php。否則,莫明的錯誤發生機會相當高。唯有嘗試簡單的目的檔案,對就對錯就錯。
  • Caddy 會自動産生記錄檔。但因權限的出入,或許記錄檔會需使用者自建,就不再詳述。例如:sudo mkdir /var/log/caddy; sudo touch mylog.log; sudo chown www-data mylog.log
  • 筆者重度使用 all-in-one wp migration。當從備份做還原時,它會將 http://hostname 或與其相關的屬於使用者的資料做搜尋與取代,因此有些不需要變更的也被改掉了,例如本文的 Caddyfile 內容中的網址形式。因此,請使用者依據內容來判斷該使用什麼形式的,筆者希望一點就通。此外,筆者也已在該章節的最後做提醒可用短代碼來避免,但單看短代碼外掛的效力如何。筆者所使用的,並無法套用到“程式碼區塊”而若 wp migration 也會修改到該區塊,那也只能靠讀者判斷了。

Categories: 架設網站

Tags:

PHP Code Snippets Powered By : XYZScripts.com