From c84c29ed74e5a0775bd1e62371f73778e1e0af41 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Tue, 12 Aug 2025 12:56:07 +0530 Subject: [PATCH 1/2] Caddy --- infra/services/caddy/Caddyfile | 13 +++++++++++++ infra/services/caddy/README.md | 19 +++++++++++++++++++ infra/services/caddy/caddy.service | 17 +++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 infra/services/caddy/Caddyfile create mode 100644 infra/services/caddy/README.md create mode 100644 infra/services/caddy/caddy.service diff --git a/infra/services/caddy/Caddyfile b/infra/services/caddy/Caddyfile new file mode 100644 index 0000000000..41d17d6ae1 --- /dev/null +++ b/infra/services/caddy/Caddyfile @@ -0,0 +1,13 @@ +{ + email custom-domains@ente.io + on_demand_tls { + ask https://api.ente.io/custom-domain + } +} + +https:// { + tls { + on_demand + } + reverse_proxy custom-albums.ente.io:443 +} diff --git a/infra/services/caddy/README.md b/infra/services/caddy/README.md new file mode 100644 index 0000000000..d13d016d1c --- /dev/null +++ b/infra/services/caddy/README.md @@ -0,0 +1,19 @@ +# Caddy + +Caddy is used to terminate TLS and manage certificates for custom domains. + +## Installation + +```sh +sudo mkdir -p /root/caddy/conf +sudo mv Caddyfile /root/caddy/conf +sudo chown root:root /root/caddy/conf/Caddyfile +``` + +Rest of it works like our other systemd services. + +If the Caddyfile changes, the running instance can be updated without restarts by using `sudo systemctl reload caddy`. + +## Backups + +The entire `/root/caddy` directory can be backed up and contains the everything needed to resurrect the same setup. diff --git a/infra/services/caddy/caddy.service b/infra/services/caddy/caddy.service new file mode 100644 index 0000000000..1aa30e6442 --- /dev/null +++ b/infra/services/caddy/caddy.service @@ -0,0 +1,17 @@ +[Unit] +Documentation=https://caddyserver.com/docs/running +Requires=docker.service +After=docker.service + +[Service] +ExecStartPre=docker pull caddy +ExecStartPre=-docker stop caddy +ExecStartPre=-docker rm caddy +ExecStart=docker run --name caddy \ + --cap-add NET_ADMIN \ + -p 80:80 -p 443:443 -p 443:443/udp \ + -v /root/caddy/conf:/etc/caddy \ + -v /root/caddy/data:/data \ + -v /root/caddy/config:/config \ + caddy +ExecReload=docker exec -w /etc/caddy caddy caddy reload From 01d70d1b5e5004fa59dba85aaa3b9482384e278d Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Tue, 12 Aug 2025 17:49:48 +0530 Subject: [PATCH 2/2] Fix HTTPS connection with upstream --- infra/services/caddy/Caddyfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infra/services/caddy/Caddyfile b/infra/services/caddy/Caddyfile index 41d17d6ae1..39a9fc09cb 100644 --- a/infra/services/caddy/Caddyfile +++ b/infra/services/caddy/Caddyfile @@ -9,5 +9,7 @@ https:// { tls { on_demand } - reverse_proxy custom-albums.ente.io:443 + reverse_proxy https://custom-albums.ente.io { + header_up Host {upstream_hostport} + } }