第 17.13 节 Caddy

安装

# pkg ins caddy

或

# cd /usr/ports/www/caddy/ 
# make install clean

查看安装后配置

root@ykla:~ #
root@ykla:~ # pkg info -D caddy
caddy-2.9.1:
On install:
To enable caddy:
# 启用 Caddy：

- Edit /usr/local/etc/caddy/Caddyfile
  See https://caddyserver.com/docs/
# - 编辑 /usr/local/etc/caddy/Caddyfile
#   参见 https://caddyserver.com/docs/ 获取更多配置信息

- Run 'service caddy enable'
# - 运行 'service caddy enable' 来启用 Caddy 服务，使其在系统启动时自动启动

Note while Caddy currently defaults to running as root:wheel, it is strongly
recommended to run the server as an unprivileged user, such as www:www --
# 注意，虽然 Caddy 当前默认以 root:wheel 运行，但强烈建议将其作为一个非特权用户运行，如 www:www。

- Use security/portacl-rc to enable privileged port binding:
# - 使用 security/portacl-rc 来启用特权端口绑定：

  # pkg install security/portacl-rc
  # sysrc portacl_users+=www
  # sysrc portacl_user_www_tcp="http https"
  # sysrc portacl_user_www_udp="https"
  # service portacl enable
  # service portacl start
#   这些命令安装并启用 portacl 端口访问控制，允许非特权用户（如 www）绑定 HTTP 和 HTTPS 端口

- Configure caddy to run as www:www
# - 配置 Caddy 以 www:www 用户身份运行

  # sysrc caddy_user=www caddy_group=www
#   使用该命令来将 Caddy 配置为以 www:www 用户和组运行

- Note if Caddy has been started as root previously, files in
  /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
  changing manually.
# 注意，如果 Caddy 曾作为 root 启动过，/var/log/caddy、/var/db/caddy 和 /var/run/caddy 中的文件可能需要手动更改文件的所有权。

/usr/local/etc/rc.d/caddy has the following defaults:
# /usr/local/etc/rc.d/caddy 默认配置如下：

- Server log: /var/log/caddy/caddy.log
  (runtime messages, NOT an access.log)
# - 服务器日志：/var/log/caddy/caddy.log
#   该文件包含运行时日志信息，而非访问日志

- Automatic SSL certificate storage: /var/db/caddy/data/caddy/
# - 自动 SSL 证书存储位置：/var/db/caddy/data/caddy/

- Administration endpoint: //unix/var/run/caddy/caddy.sock
# - 管理端点：//unix/var/run/caddy/caddy.sock
#   管理接口通过 Unix 套接字访问

- Runs as root:wheel (this will change to www:www in the future)
# - 目前默认以 root:wheel 用户身份运行，未来将更改为 www:www 用户身份运行

On upgrade from caddy<2.3.0:
The default locations for caddy runtime files have changed!
# 从 caddy<2.3.0 升级：
# Caddy 运行时文件的默认位置已更改！

- Caddy's runtime log is now /var/log/caddy/caddy.log
  (was /var/log/caddy.log)
# - Caddy 运行时日志现在位于 /var/log/caddy/caddy.log（之前是 /var/log/caddy.log）

- Automatic SSL certs are now stored in /var/db/caddy/data/caddy
  (was /root/.local/share/caddy)
# - 自动 SSL 证书现在存储在 /var/db/caddy/data/caddy（之前是 /root/.local/share/caddy）

- Configuration autosaves are now stored in /var/db/caddy/config/caddy
  (was /root/.config/caddy)
# - 配置自动保存现在存储在 /var/db/caddy/config/caddy（之前是 /root/.config/caddy）

You can change these defaults. See /usr/local/etc/rc.d/caddy
# 你可以更改这些默认设置。请查看 /usr/local/etc/rc.d/caddy 文件了解更多信息

On upgrade from caddy<2.7.4_2:
The default Caddy administration endpoint location has been changed from
localhost:2019 to a protected Unix domain socket located in
/var/run/caddy/caddy.sock
# 从 caddy<2.7.4_2 升级：
# 默认的 Caddy 管理端点位置已从 localhost:2019 更改为受保护的 Unix 域套接字，
# 位于 /var/run/caddy/caddy.sock

This can be overridden with the `caddy_admin` rc variable, or by specifiying
an alternative in the Caddyfile `admin` section, documented here:
# 这可以通过 `caddy_admin` rc 变量覆盖，或者在 Caddyfile 的 `admin` 部分指定，详细信息请参阅这里：

  https://caddyserver.com/docs/caddyfile/options#admin

The previous default, particularly paired with the server running as root,
may have serious security implications for shared machines with untrusted
users.
# 之前的默认设置，尤其是与 root 身份一起使用时，可能会对共享机器带来严重的安全隐患，特别是在不信任的用户环境下。

On upgrade:
It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
www:www, rather than the current default of root:wheel.
# 升级时：
# 强烈建议将 Caddy 以非特权用户身份运行，如 www:www，而不是当前默认的 root:wheel。

If you have relied upon earlier defaults:
# 如果你依赖于早期的默认设置：

- Use security/portacl-rc to enable privileged port binding:
# - 使用 security/portacl-rc 启用特权端口绑定：

  # pkg install security/portacl-rc
  # sysrc portacl_users+=www
  # sysrc portacl_user_www_tcp="http https"
  # sysrc portacl_user_www_udp="https"
  # service portacl enable
  # service portacl start
#   安装并配置 portacl 以便允许非特权用户（如 www）绑定 HTTP 和 HTTPS 端口

- Stop the server, and update ownership on Caddy runtime files:
# - 停止服务器，并更新 Caddy 运行时文件的所有权：

  # service caddy stop
  # chown -R www:www /var/db/caddy /var/log/caddy /var/run/caddy
#   停止 Caddy 服务并将文件的所有权更改为 www:www 用户

Other changes may be necessary depending on your exact Caddy
configuration.
# 根据你的 Caddy 配置，可能还需要进行其他更改。

- Change the default runtime user, and restart the server:
# - 更改默认的运行时用户，并重启服务器：

  # sysrc caddy_user=www caddy_group=www
  # service caddy start
#   使用此命令更改 Caddy 的运行时用户和组为 www:www，并重新启动 Caddy 服务

配置

注意
由于非特权用户无法开启 443 端口，会报错 listen tcp :443: bind: permission denied。

安装上文提到的 security/portacl-rc：

# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https"
# sysrc portacl_user_www_udp="https"
# service portacl enable
# service portacl start

配置服务：

# service caddy enable # 请按顺序执行
# service caddy start # 请按顺序执行
# service caddy stop # 请按顺序执行
# sysrc caddy_user=www caddy_group=www
# chown -R www:www /var/db/caddy /var/log/caddy /var/run/caddy

新建测试页面：

# mkdir -p /usr/local/www/caddy/

编辑 /usr/local/www/caddy/index.html，写入：

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>FreeBSD 中文社区欢迎你！</title>
</head>
<body>
    <h1 style="text-align: center;">Hello World !</h1>
</body>
</html>

root@ykla:~ # service caddy start
Starting caddy... done
Log: /var/log/caddy/caddy.log

在本机打开 https://localhost/：

参考文献

，本文测试页面的 HTML 来自此处

上一页第 17.12 节 Tomcat 下一页第 17.14 节 OnlyOffice（基于 PostgreSQL）

最后更新于1个月前