Caddy 2：轻量级现代化反向代理

August 7, 2024 · 4 min read

Software Engineer

安装

Debian、Ubuntu、Raspbian

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
caddy version

反代示例

配置文件在 /etc/caddy/Caddyfile ，更改完配置 systemctl start caddy 即可。

反向代理本地ipv4

domain.com {
    encode gzip
    reverse_proxy {
        to 127.0.0.1:80 # 端口
        # header_up X-Real-IP {remote_host}
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {http.request.header.CF-Visitor}
    }
    header / {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引（可选）
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By，虽然这不应该是一个问题，但最好移除
        -X-Powered-By
        # 移除 Last-Modified，因为 etag 相同并且同样有效
        -Last-Modified
    }
 
    # 屏蔽特定的User-Agent
    @badbots {
        header "User-Agent" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
    }
 
    handle @badbots {
        respond "Access for bad crawlers denied" 403
    }
  
    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

反向代理本地ipv6

domain.com {
    encode gzip
    reverse_proxy {
        to [::1]:80  # 端口
        # header_up X-Real-IP {remote_host}
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {http.request.header.CF-Visitor}
    }
    header / {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引（可选）
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By，虽然这不应该是一个问题，但最好移除
        -X-Powered-By
        # 移除 Last-Modified，因为 etag 相同并且同样有效
        -Last-Modified
    }
 
    # 屏蔽特定的User-Agent
    @badbots {
        header "User-Agent" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
    }
 
    handle @badbots {
        respond "Access for bad crawlers denied" 403
    }
  
    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

代理PHP

domain.com {
    encode zstd gzip
    root * /var/www/web 
    header / {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引（可选）
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By，虽然这不应该是一个问题，但最好移除
        -X-Powered-By
        # 移除 Last-Modified，因为 etag 相同并且同样有效
        -Last-Modified
    }
    # 文件服务器
    file_server
  
    # PHP FastCGI 代理
    php_fastcgi unix//run/php/php7.4-fpm.sock {
        # 传递真实IP
        # header_up X-Real-IP {remote_host}
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {http.request.header.CF-Visitor}
    }
  
    # 屏蔽特定的 User-Agent
    @badbots {
        header "User-Agent" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
    }
 
    handle @badbots {
        respond "Access for bad crawlers denied" 403
    }
 
    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

代理静态文件

domain.com {
    root * /var/www/web
    file_server
    encode gzip
    header / {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引（可选）
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By，虽然这不应该是一个问题，但最好移除
        -X-Powered-By
        # 移除 Last-Modified，因为 etag 相同并且同样有效
        -Last-Modified
    }
  
    # 屏蔽特定的 User-Agent
    @badbots {
        header "User-Agent" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
    }
 
    handle @badbots {
        respond "Access for bad crawlers denied" 403
    }
 
    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

安装​

反向代理本地ipv4​

反向代理本地ipv6​

代理PHP​

代理静态文件​

安装

反向代理本地ipv4

反向代理本地ipv6

代理PHP

代理静态文件