共用的設定
- 本地端的 8080 port 規劃上做為基本測試用。文件路徑設定在 /var/web/html
- 本地端的 8081 port,就用作 phpmyadmin 的管理頁
- 所以建議每一種 Caddyfile 都可加入這兩個區塊
- 另外,筆者有 waterfalls.ddns.net 及 wearbiz.ddns.net 兩支 hostname,故至少會有這兩個區塊;透過不同的 hostname 及可以不同的 document root 來彈性化內容存取。
# for general purpose tests
localhost:8080 {
tls off
root /var/web/html
#log /var/log/caddy/test_access.log
#errors /var/log/caddy/test_errors.log
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
}
# for phpmyadmin
localhost:8081 {
tls off
root /var/web/dbadmin
#log /var/log/caddy/dbadmin_access.log
#errors /var/log/caddy/dbadmin_errors.log
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
}
情境一:本機架設 caddy web server 且啟用 TLS 認證
- 請留意,TLS someone@gmail.com,須改成您個人的 email address
- 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
# http redirects to https for both waterfalls and wearbiz
https://waterfalls.ddns.net, http://wearbiz.ddns.net {
redir https://{host}{uri}
}
# for wordpress, waterfalls, root is ./wordpress
# TLS ON
https://waterfalls.ddns.net {
# suggest to uncomment for staging tests before official use
tls someone@gmail.com #{
#ca https://acme-staging-v02.api.letsencrypt.org/directory
#}
#log /var/log/caddy/waterfalls_access.log
#errors /var/log/caddy/waterfalls_errors.log
root /var/web/wordpress
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
# Prevent malicious PHP uploads from running
rewrite {
r /uploads\/(.*)\.php
to /
}
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?{query}
}
}
# for wordpress, wearbiz, root is ./wp
# TLS ON
https://wearbiz.ddns.net {
# suggest to uncomment for staging tests before official use
tls someone@gmail.com #{
#ca https://acme-staging-v02.api.letsencrypt.org/directory
#}
#log /var/log/caddy/wearbiz_access.log
#errors /var/log/caddy/wearbiz_errors.log
root /var/web/wp
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
# Prevent malicious PHP uploads from running
rewrite {
r /uploads\/(.*)\.php
to /
}
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?{query}
}
}
情境二:VM 單純提供內容,故本機必須是 TLS on reverse proxy
- VM 架設了 caddy web server,關閉 TLS 認證,只單純做內容存取
- 本機就必須有 TLS 認證,故必須架設 caddy web server 用來當 reverse proxy,由它來提供 TLS
- VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
- 請留意,TLS someone@gmail.com,須改成您個人的 email address
- 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
本機端
# locally mapping/redirect 80 port to 1025 port
# for waterfalls & wearbiz
https://waterfalls.ddns.net, http://wearbiz.ddns.net {
#log /var/log/caddy/proxy80_access.log
#errors /var/log/caddy/proxy80_errors.log
proxy / http://localhost:1025 {
transparent
}
}
# locally mapping/redirect 443 port to 1026 port
# for waterfalls & wearbiz
# TLS ON
https://waterfalls.ddns.net, https://wearbiz.ddns.net {
#log /var/log/caddy/proxy443_access.log
#errors /var/log/caddy/proxy443_errors.log
# suggest to uncomment for staging tests before official use
tls someone@gmail.com #{
#ca https://acme-staging-v02.api.letsencrypt.org/directory
#}
proxy / http://localhost:1026 {
insecure_skip_verify
transparent
}
}
VM 端
# for wordpress, waterfalls, root is ./wordpress
# no TLS
https://waterfalls.ddns.net, https://waterfalls.ddns.net {
tls off
root /var/web/wordpress
#log /var/log/caddy/waterfalls_access.log
#errors /var/log/caddy/waterfalls_errors.log
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
# Prevent malicious PHP uploads from running
rewrite {
r /uploads\/(.*)\.php
to /
}
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?{query}
}
}
# for wordpress, wearbiz, root is ./wp
# no TLS
http://wearbiz.ddns.net, https://wearbiz.ddns.net {
tls off
root /var/web/wp
#log /var/log/caddy/wearbiz_access.log
#errors /var/log/caddy/wearbiz_errors.log
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.3-fpm.sock php
# Prevent malicious PHP uploads from running
rewrite {
r /uploads\/(.*)\.php
to /
}
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?{query}
}
}
情境三:VM 提供內容且啟用 TLS 認證,故本機必須是單純的 redirect(v) 或 caddy reverse proxy
- VM 架設了啟用 TLS 認證的 caddy web server
- 本機的方法之一是做本地端的埠映射,從 localhost port A redirect to localhost port B
- 來源埠必須未被佔用(即例如須停用本機的 web server),下達以下二行命令
- 本機端:
- sudo socat TCP4-LISTEN:80,fork TCP4:localhost:1025 &
- sudo socat TCP4-LISTEN:443,fork TCP4:localhost:1026 &
- VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
- 請留意,TLS someone@gmail.com,須改成您個人的 email address
- 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
VM 端
# 同情境一
情境四:VM 提供內容且啟用 TLS 認證,故本機必須是單純的 redirect 或 caddy reverse proxy(v)
- VM 架設了啟用 TLS 認證的 caddy web server
- 本機的方法之二是 caddy web server 做為單純的 reverse proxy
- VM 端:
- 同情境一
- VM 的 port forwarding 分別是 1025 <–> 80,1026 <–> 443
- 請留意,TLS someone@gmail.com,須改成您個人的 email address
- 建議在確認 TLS 成功之前,先把這一子區段,#{ ca https://acme-staging-v02.api.letsencrypt.org/directory } 的井字號拿掉,則會有更多次的失敗重試機會。否則,一直試失敗最終會被暫時停用 TLS 認證。(但應是一次就成功了,筆者都測過了)
- 不幸地,此情境失敗待解 XD
主機端
https://waterfalls.ddns.net {
proxy / http://localhost:1025 {
transparent
}
}
https://waterfalls.ddns.net {
tls off
#tls someone@gmail.com {
#ca https://acme-staging-v02.api.letsencrypt.org/directory
#}
proxy / http://localhost:1026 {
insecure_skip_verify
transparent
}
}
後記
- 非常重要:
- wordpress 自己也會有 redirect 導向行為。因此在配置完 Caddyfile 後測試,務必先只以簡單的 php 檔案做為存取目的。例如,http(s)://waterfalls.ddns.net/phpinfo.php。否則,莫明的錯誤發生機會相當高。唯有嘗試簡單的目的檔案,對就對錯就錯。
- Caddy 會自動産生記錄檔。但因權限的出入,或許記錄檔會需使用者自建,就不再詳述。例如:sudo mkdir /var/log/caddy; sudo touch mylog.log; sudo chown www-data mylog.log
- 筆者重度使用 all-in-one wp migration。當從備份做還原時,它會將 http://hostname 或與其相關的屬於使用者的資料做搜尋與取代,因此有些不需要變更的也被改掉了,例如本文的 Caddyfile 內容中的網址形式。因此,請使用者依據內容來判斷該使用什麼形式的,筆者希望一點就通。此外,筆者也已在該章節的最後做提醒可用短代碼來避免,但單看短代碼外掛的效力如何。筆者所使用的,並無法套用到“程式碼區塊”而若 wp migration 也會修改到該區塊,那也只能靠讀者判斷了。