Last active
December 4, 2019 21:26
-
-
Save pstaender/8e53e3cc3f7747bd17beef1178b79208 to your computer and use it in GitHub Desktop.
Install Caddy v1.x on Debian
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sudo apt-get install -y git libcap2-bin | |
| echo 'install go lang' | |
| wget -q https://storage.googleapis.com/golang/getgo/installer_linux | |
| chmod +x installer_linux | |
| ./installer_linux | |
| source ~/.bash_profile | |
| echo 'install caddy' | |
| go get github.com/caddyserver/caddy/caddy | |
| sudo cp $GOPATH/bin/caddy /usr/local/bin/ | |
| sudo chown root:root /usr/local/bin/caddy | |
| sudo chmod 755 /usr/local/bin/caddy | |
| sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy | |
| sudo mkdir -p /etc/caddy/ | |
| sudo touch /etc/caddy/Caddyfile | |
| sudo curl https://gist.githubusercontent.com/pstaender/8e53e3cc3f7747bd17beef1178b79208/raw/01baa1ca512dc8a9e40a3296c29341c8b15795b8/caddy.service > /etc/systemd/system/caddy.service | |
| echo 'www-data hard nofile 8192' >> /etc/security/limits.conf | |
| sudo chown -R www-data:www-data /etc/caddy/ | |
| sudo mkdir /etc/ssl/caddy | |
| sudo chown -R www-data:www-data /etc/ssl/caddy | |
| sudo systemctl daemon-reload | |
| sudo systemctl status caddy | |
| sudo systemctl start caddy | |
| journalctl --follow _SYSTEMD_UNIT=caddy.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Caddy HTTP/2 web server | |
| Documentation=https://caddyserver.com/docs | |
| After=network.target | |
| Wants=network.target | |
| [Service] | |
| Restart=on-failure | |
| StartLimitInterval=86400 | |
| StartLimitBurst=5 | |
| ; User and group the process will run as. | |
| User=www-data | |
| Group=www-data | |
| Environment=CADDYPATH=/etc/ssl/caddy | |
| ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp | |
| ExecReload=/bin/kill -USR1 $MAINPID | |
| KillMode=mixed | |
| KillSignal=SIGQUIT | |
| TimeoutStopSec=5s | |
| LimitNOFILE=1048576 | |
| LimitNPROC=64 | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Caddy HTTP/2 web server | |
| Documentation=https://caddyserver.com/docs | |
| After=network-online.target | |
| Wants=network-online.target systemd-networkd-wait-online.service | |
| [Service] | |
| Restart=on-abnormal | |
| ; User and group the process will run as. | |
| User=www-data | |
| Group=www-data | |
| ; Letsencrypt-issued certificates will be written to this directory. | |
| Environment=CADDYPATH=/etc/ssl/caddy | |
| ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. | |
| ExecStart=/usr/bin/caddy -log stdout -agree=true -email=youremail -conf=/etc/caddy/Caddyfile -root=/var/tmp | |
| ExecReload=/bin/kill -USR1 $MAINPID | |
| ; Use graceful shutdown with a reasonable timeout | |
| KillMode=mixed | |
| KillSignal=SIGQUIT | |
| TimeoutStopSec=5s | |
| ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. | |
| LimitNOFILE=1048576 | |
| ; Unmodified caddy is not expected to use more than that. | |
| LimitNPROC=512 | |
| ; Use private /tmp and /var/tmp, which are discarded after caddy stops. | |
| PrivateTmp=true | |
| ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) | |
| PrivateDevices=false | |
| ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | |
| ProtectHome=true | |
| ; Make /usr, /boot, /etc and possibly some more folders read-only. | |
| ProtectSystem=full | |
| ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. | |
| ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! | |
| ReadWriteDirectories=/etc/ssl/caddy | |
| ; The following additional security directives only work with systemd v229 or later. | |
| ; They further restrict privileges that can be gained by caddy. Uncomment if you like. | |
| ; Note that you may have to add capabilities required by any plugins in use. | |
| ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
| ;AmbientCapabilities=CAP_NET_BIND_SERVICE | |
| ;NoNewPrivileges=true | |
| [Install] | |
| WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment