帮酷LOGO
0 0 评论
文章标签:CAD  Centos  

介绍

Caddy是一个新兴的Web服务器程序,支持HTTP 2和自动HTTPS ,考虑到易用性和安全性,可以使用caddy通过单个配置文件快速部署启用HTTPS的站点。

前提条件

  • 新的CentOS 7x64服务器实例,我们将使用203.0.113.1作为例子,
  • 一个sudo用户。
  • 服务器实例已被使用epel yum repo更新至最新稳定状态
  • example.com已配置为指向203.0.113.1服务器实例,

步骤1:安装最新稳定的Caddy版本

在Linux,mac或javaee操作系统上,使用以下命令安装最新的稳定系统特定版本:


curl https://getcaddy.com | bash

出现提示时,输入sudo密码以完成安装。

Caddy将被安装到/usr/local/bin目录中,请使用以下命令确认:

 
which caddy

 

输出应为:

 
/usr/local/bin/caddy

 

出于安全目的,永远不要将Caddy作为root运行,为了使Caddy能够绑定到权限端口(例如,80,443 )作为非root用户,你需要按如下方式运行setcap命令:


sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

步骤2:配置Caddy

创建专用系统用户:


sudo useradd -r -d /var/www -M -s /sbin/nologin caddy

注意:这个创建的用户caddy只能用于管理Caddy服务,不能用于登录。

为Caddy服务器和你站点的主目录/var/www/example.com创建主目录/var/www


sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www

创建用于存储SSL证书的目录:


sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

创建一个专用目录来存储Caddy配置文件Caddyfile


sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy

创建名为Caddyfile的Caddy配置文件:


sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
example.com {
 root /var/www/example.com
 gzip
 tls admin@example.com
}
EOF

注意:上面创建的Caddyfile文件只是运行静态网站的基本配置,

为了便于Caddy操作,你可以为Caddy设置systemd单元文件,然后使用systemd来管理Caddy。

使用vi编辑器创建Caddysystemd单元文件:


sudo vi /etc/systemd/system/caddy.service

填充文件:


[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=caddy
Group=caddy

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set"-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; ... except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

保存和退出:

 
:wq

 
!

启动Caddy服务,并且使它在系统启动时自动启动:


sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service

步骤3:修改防火墙规则

为了让访问者访问你的Caddy站点,你需要打开端口80和443 :


sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

步骤4:为你的站点创建一个测试页面

使用以下命令在Caddy站点主目录中创建名为index.html的文件:


echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html

重新启动Caddy服务以加载新内容:


sudo systemctl restart caddy.service

最后,将你的网页浏览器指向http://example.comhttps://example.com ,你应该看到所期望的消息Hello World!



文章标签:Centos  CAD  

Copyright © 2011 HelpLib All rights reserved.    知识分享协议 京ICP备05059198号-3  |  如果智培  |  酷兔英语