Caddy2 with Cloudflare CDN (end-to-end encryption)
Cloudflare settings
dashboard->profile->API Tokens->Create API Token->Create Custom Token
- name the token
Permissions->zone->zone read/dns edit/analytic readZone Resources->specific zone->your site domain
do NOT use global API key
dashboard->site domain->dns & ssl/tls
- an
A recordfor the site - encryption mode:
Full Strict - enable
Always Use HTTPS
Caddy installation
pick one of two
build from source:https://github.com/caddyserver/xcaddy#readme
1
xcaddy build --with github.com/caddy-dns/cloudflare
quick install and replace
apt install
1
2
3
4
5sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update -y
sudo apt install caddy -ydownload (https://caddyserver.com/download) with plugin (
dns.providers.cloudflare)replace the quick installed one at
/usr/bin/caddy
verify
dns.providers.cloudflaremodule1
./caddy list-modules | grep dns
Caddyfile
Enable the ACME DNS-01 challenge for the domain managed on Cloudflare with AUTH TOKEN
Here’s my caddyfile
1 | star.us.org:443 { |
ACME Challenge Types:
HTTP-01
DNS-01
TLS-ALPN-01
TLS-SNI-01 disabled in March 2019
Logging client IP behind a Cloudflare proxy
- https://github.com/kirsch33/realip/issues/14
- https://caddyserver.com/docs/caddyfile/options#trusted-proxies
- https://caddyserver.com/docs/caddyfile/directives/log
Note that as of Caddy v2.7, both
remote_ipandclient_ipare logged, whereclient_ipis the “real IP” whentrusted_proxiesis configured
example: In global options, at the top of Caddyfile
1 | { |
Caddy run
1 | setcap CAP_NET_BIND_SERVICE=+eip $(which caddy) |