HTTP & CA
Overview
Caddy is a modern web server written in Golang. In addition to the golang static binary, it also benefits from a built-in and managed certificate authority. Essentially, caddy provides HTTPS out of the box by default. At the time of this writing there is definitely room for improvement in the security posture of the product, but its modular design, simple configuration, and security biased principles vastly outweigh its lackings.
When we setup our primary HTTP/HTTPS router (i.e. caddy), we'll be first running an initialization container to ensure certificates are generated before running the caddy service. Caddy does do this on its own, but we have a couple of things happening:
-
The certificates generated from Caddy should remain somewhat stable, regardless of configuration updates or container image updates.
-
Private certificate keys, while available to Caddy, should be kept separate in revision control for security purposes.
-
The (public) certificates generated from Caddy should be easily accessible to other nodes on our network so that we can install relevant certificates with a quick remote shell command.
The Initializer
The following docker compose yaml is the descriptor for the caddy certificate initialization (/opt/services/lab_services/services/caddy_certs_init.yml
):
services:
caddy_certs_init:
image: git.lab/lab/caddy:certs_init
container_name: caddy_certs_init
build:
#context:
dockerfile_inline: |
FROM caddy:alpine
# Execute Caddy's PKI application to create certificates.
COPY <<EOF /init-pki.sh
#!/bin/sh
# If certificates are valid, return success.
if [ -e /certs/root.key -a -e /certs/root.crt ]; then
echo "Found certificates."
exit 0
fi
echo "No certificates found, created them now."
# Start the server
caddy run &
TMP_CADDY_PID=\$!
# Wait for server to start
sleep 1
# Tell caddy to gen certs (and install them).
caddy trust
# Wait for server to create certificates
sleep 1
# Kill server
kill \$\{TMP_CADDY_PID\}
# Copy public certs to hosted folder
mkdir -p /certs
cp /data/caddy/pki/authorities/local/* /certs/
# Return success
exit 0
EOF
# Set execute perm, execute, and remove the initialize PKI script.
RUN chmod +x /init-pki.sh
CMD ["/init-pki.sh"]
network_mode: host
volumes:
- /opt/state/caddy_certs_init/:/certs
Since docker doesn't permit volume mounting during builds, we setup the initialization container so that it's default command is a script for telling caddy to setup a PKI. Once this is complete, we copy the certificate and private signing keys to a mounted volume for the real caddy service to use.
If the script detects that the certificate and key files already exist, it reports this to the console and exits to preserve the certificates that we might have already installing a a bazillion other nodes on the network.
You should build and run the caddy_certs_init
service before caddy_svc
to ensure everything has been configured correctly. Once you know its working as expected, it's recommended to let caddy_svc
run the service itself:
cd /opt/services/lab_services/services/
docker compose -f caddy_certs_init.yml build
docker compose -f caddy_certs_init up
The Caddy Service
The following docker compose yaml is the descriptor for the caddy (HTTPS) services (/opt/services/lab_services/services/caddy_svc.yml
):
services:
caddy_svc:
image: git.lab/lab/caddy:initial
depends_on:
caddy_certs_init: { condition: service_completed_successfully }
dnsmasq_svc: { condition: service_started }
container_name: caddy_svc
build:
context: ../contexts/caddy_svc
dockerfile_inline: |
FROM caddy:alpine
COPY Caddyfile /etc/caddy/Caddyfile
# Build the container entrypoint
COPY <<EOF /start-caddy.sh
#!/bin/sh
mkdir -p /public/certs
cp /data/caddy/pki/authorities/local/*.crt /public/certs
caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
EOF
RUN chmod +x /start-caddy.sh
CMD ["/start-caddy.sh"]
restart: unless-stopped
network_mode: host
volumes:
- /opt/state/caddy_svc/config:/config
- /opt/state/caddy_certs_init:/data/caddy/pki/authorities/local
This caddy service container has it's configuration file (Caddyfile
) embedded into the container image. When the container starts, it always copies the public certificates to a /public/certs
folder so that clients can easily access certificates via https://tls.lab/certs/
. The certificates are made available to the container via the /opt/state/caddy_certs_init
volume mount.
One of the key things for this container are its dependencies. This container requires that caddy_certs_init
have run, but it must no longer be running. This provides a reasonable guarantee that the certificate files will be available when the service starts and prevents caddy from regenerating new certificates. There is also a requirement for dnsmasq_svc
to be running, even though that isn't strictly required for the initial Caddyfile
that we've embedded.
To build and run the caddy_svc
service:
cd /opt/services/lab_services/services/
docker compose -f caddy_svc.yml build
docker compose -f caddy_svc.yml up -d
Configure Caddy
For the caddy configuration, we've added a few host routed endpoints. Each endpoint is going to be a localhost accessible service. (The Caddyfile
will eventually remain revision controlled and therefore can be embedded into the docker image.)
/opt/services/lab_services/contexts/caddy_svc/Caddyfile
:
https://words.lab {
tls internal
reverse_proxy http://127.0.0.1:1080 {
header_up Host {host}
header_up X-Real-IP {remote}
}
}
https://git.lab {
tls internal
reverse_proxy http://127.0.0.1:1180 {
header_up Host {host}
header_up X-Real-IP {remote}
}
}
https://www.lab {
tls internal
reverse_proxy http://127.0.0.1:1280 {
header_up Host {host}
header_up X-Real-IP {remote}
}
}
https://tls.lab {
tls internal
root * /public
file_server browse
}
Note: You can add as many services as you'd like at this point. As long as the syntax is correct, caddy should be ok with it, even if it isn't setup yet. If you attempt to visit these sites before they are setup, caddy will return a 500 error code indicating that itself can not serve you as a reverse proxy.
Install Caddy Root Certificate
-
Copy certificate out of docker-compose service and install in Linux host.
docker compose cp \
caddy_svc:/data/caddy/pki/authorities/local/root.crt \
/usr/local/share/ca-certificates/lab-root.crt \
&& sudo update-ca-certificates -
Copy certificate out of docker-compose service and install in Windows host.
docker compose cp \
caddy_svc:/data/caddy/pki/authorities/local/root.crt \
%TEMP%/lab-root.crt \
&& certutil -addstore -f "ROOT" %TEMP%/root.crt -
Copy certificate from running caddy service and install in a Linux host.
sudo curl -k https://tls.lab/certs/root.crt \
-o /usr/local/share/ca-certificates/lab-root.crt
sudo update-ca-certificates -
Copy certificate from running caddy service and install in Linux without
update-ca-certificates
:sudo wget --no-check-certificate https://tls.lab/certs/root.crt \
-O /usr/local/share/ca-certificates/lab-root.crt \
&& cat /usr/local/share/ca-certificates/lab-root.crt \
| sudo tee -a /etc/ssl/certs/ca-certificates.crt -
!! Restart docker for the update to take effect: !!
sudo systemctl restart docker
docker login -u gitea_user git.lab