Reorganized Docs. In Progress.

2026-01-02 15:48:49 +01:00 · 2024-06-27 11:08:43 +03:00 · 2024-06-27 11:08:43 +03:00 · ce89ff4833
commit ce89ff4833
parent 1961e22cbd
202 changed files with 0 additions and 0 deletions
--- a/docs/Webserver/Caddy-Webserver-Config.md
+++ b/docs/Webserver/Caddy-Webserver-Config.md
@ -0,0 +1,281 @@
+[Caddy 2 .well-known/assetlinks.json config for WeKan Android Play Store app](../PWA#fullscreen-android-app-with-caddy-and-wekan-server)
+
+## Caddy 2
+
+WeKan Snap Candidate for any Snap distros: https://github.com/wekan/wekan/wiki/OpenSuse , disable internal old Caddy 1, when using Caddy 2:
+```
+sudo snap set wekan caddy-enabled='false'
+sudo snap set wekan port='3001'
+sudo snap set wekan root-url='https://boards.example.com'
+```
+More info about root-url at https://github.com/wekan/wekan/wiki/Settings
+
+Browser needs to have only one language https://github.com/wekan/wekan/issues/4803#issuecomment-1374354425
+
+Install Caddy 2 stable release: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
+
+Like this:
+```
+sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
+
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+
+sudo apt update
+
+sudo apt -y install caddy
+```
+Edit Caddyfile:
+
+```
+sudo nano /etc/caddy/Caddyfile
+```
+
+Example:
+
+```
+# Redirecting http to https
+
+(redirect) {
+        @http {
+                protocol http
+        }
+        redir @http https://{host}{uri}
+}
+
+# WeKan board, proxy to localhost port, or IP-ADDRESS:PORT
+boards.example.com {
+        tls {
+                load /var/snap/wekan/common/certs
+                alpn http/1.1
+        }
+
+        reverse_proxy 127.0.0.1:3025
+}
+
+# Static website
+example.com {
+        tls {
+                load /var/snap/wekan/common/certs
+                alpn http/1.1
+        }
+        root * /var/websites/wekan.team
+        file_server
+}
+
+# Files download directory browse website
+files.example.com {
+        root * /var/websites/ftp.secretchronicles.org/public
+        file_server browse
+}
+```
+
+Caddy commands list:
+```
+caddy help
+```
+
+
+***
+
+[Caddy OAuth2 with Let's Encrypt SSL example](OAuth2)
+
+***
+
+## CloudFlare free wildcard SSL *start*
+
+Also works with other SSL certs.
+
+### 1) Requirements: You have changed nameservers to CloudFlare.
+
+### 2) Get CloudFlare SSL wildcard Origin Certificate
+
+Go to CloudFlare login/example.com/Crypto/Origin Certificates.
+Create and download certs for `*.example.com, example.com`
+
+### 3) Create directory /var/snap/wekan/common/certs
+```
+sudo su
+cd /var/snap/wekan/common
+mkdir certs
+cd certs
+```
+### 4) Create cert file
+Create file: `example.com.pem` with content of CloudFlare Origin Certificates.
+```
+nano example.com.pem
+```
+There add certs:
+```
+-----BEGIN PRIVATE KEY-----
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+-----END CERTIFICATE-----
+```
+
+Then Save: Ctrl-o Enter
+
+Then Exit: Ctrl-x.
+
+### 5) Set permissions rw-r--r-- to example.com.pem:
+```
+chmod 644 example.com.pem
+```
+
+### 6) Edit Caddy webserver config
+```
+sudo nano /var/snap/wekan/common/Caddyfile
+```
+There change config:
+```
+http://example.com https://example.com {
+        tls {
+            load /var/snap/wekan/common/certs
+            alpn http/1.1
+        }
+        proxy / localhost:3001 {
+          websocket
+          transparent
+        }
+}
+```
+Save: Ctrl-o Enter
+
+Exit: Ctrl-x
+
+Enable Caddy:
+```
+sudo snap set wekan caddy-enabled='true'
+sudo snap set wekan port='3001'
+sudo snap set wekan root-url='https://example.com'
+```
+
+### 7) Enable CloudFlare SSL
+
+Click CloudFlare login/example.com/DNS.
+
+Check that status of your domains have orange cloud color, so traffic goes through CloudFlare SSL.
+
+Click CloudFlare login/example.com/Page Rules.
+Set for example:
+```
+1) http://example.com/*
+Always Use HTTPS
+2) http://*.example.com/*
+Always use HTTPS
+```
+Optionally, if you want caching:
+```
+3) *example.com/*
+Cache Level: Cache Everything
+```
+## CloudFlare free wildcard SSL *end*
+
+***
+
+## Other config stuff
+
+[List of Let's Encrypt implementations](https://community.letsencrypt.org/t/list-of-client-implementations/2103)
+
+## Caddy webserver config with logs
+
+Create directory for caddy, website and logs:
+```bash
+mkdir -p ~/caddy/example.com ~/caddy/logs
+```
+
+Add this config to ~/caddy/Caddyfile
+
+There's also some extra examples.
+
+```bash
+example.com {
+        root /home/username/caddy/example.com
+        # Static website, markdown or html
+        ext .md .html
+
+        proxy /wekan 127.0.0.1:3000 {
+                websocket
+        }
+
+	log /home/username/caddy/logs/wekan-access.log {
+	    rotate {
+		size 100 # Rotate after 100 MB
+		age  7   # Keep log files for 7 days
+		keep 52  # Keep at most 52 log files
+	    }
+	}
+	errors {
+		log /home/username/caddy/logs/wekan-error.log {
+			size 100 # Rotate after 100 MB
+			age  7   # Keep log files for 7 days
+			keep 52  # Keep at most 52 log files
+		}
+	}
+}
+
+example.com/files {
+	root /home/username/files
+	# View files in directory, has sorting in browser
+	browse
+}
+```
+
+Install Caddy. Change username to what user you run caddy, like in /home/username , and Let's Encrypt email to your email adderess:
+
+```bash
+# Install caddy with some plugins
+curl https://getcaddy.com | bash -s personal http.ipfilter,http.mailout,http.ratelimit,http.realip
+```
+
+# Give permissions to caddy to bind 80 and 443
+
+```
+sudo setcap cap_net_bind_service=+ep /usr/local/bin/caddy
+```
+
+And this service file for Caddy to /etc/systemd/system/caddy@.service
+
+```bash
+; see `man systemd.unit` for configuration details
+; the man section also explains *specifiers* `%x`
+
+[Unit]
+Description=Caddy HTTP/2 web server %I
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+Wants=network-online.target
+Wants=systemd-networkd-wait-online.service
+
+[Service]
+; run user and group for caddy
+User=username
+Group=username
+ExecStart=/home/username/caddy/caddy -conf=/home/username/caddy/Caddyfile -agree -email="admin@example.com"
+Restart=on-failure
+StartLimitInterval=86400
+StartLimitBurst=5
+RestartSec=10
+ExecReload=/bin/kill -USR1 $MAINPID
+; limit the number of file descriptors, see `man systemd.exec` for more limit settings
+LimitNOFILE=1048576
+LimitNPROC=64
+; create a private temp folder that is not shared with other processes
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=full
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Start caddy and enable service:
+```
+sudo systemctl daemon-reload
+sudo systemctl start caddy@username
+sudo systemctl enable caddy@username
+```