docs: add caddy docs (#423) · techaro.lol/anubis@74dcebf

techaro.lol / anubis

fork atom

Weighs the soul of incoming HTTP requests to stop AI crawlers

fork atom

docs: add caddy docs (#423)

Signed-off-by: Xe Iaso <me@xeiaso.net>

authored by

Xe Iaso and committed by

GitHub 10 months ago 74dcebf2 92d3dd36

+140

5 changed files

expand all

unified split

docs

admin

environments

caddy.mdx

test

caddy

Caddyfile

Dockerfile

docker-compose.yaml

start.sh

+71

docs/docs/admin/environments/caddy.mdx

···

··· 1 + # Caddy 2 + 3 + To use Anubis with Caddy, stick Anubis between Caddy and your backend. For example, consider this application setup: 4 + 5 + ```mermaid 6 + --- 7 + title: Caddy with Anubis in the middle 8 + --- 9 + 10 + flowchart LR 11 + T(User Traffic) 12 + TCP(TCP 80/443) 13 + An(Anubis) 14 + B(Backend) 15 + Blocked 16 + 17 + T --> TCP 18 + TCP --> |Traffic filtering| An 19 + An --> |Happy traffic| B 20 + An --> |Malicious traffic| Blocked 21 + ``` 22 + 23 + Instead of your traffic going directly to your backend, it takes a detour through Anubis. Anubis filters out the "bad" traffic and passes the "good" traffic to the backend. 24 + 25 + To set up Anubis with Docker compose and Caddy, start with a `docker-compose` configuration like this: 26 + 27 + ```yaml 28 + services: 29 + caddy: 30 + image: caddy:2 31 + ports: 32 + - 80:80 33 + - 443:443 34 + - 443:443/udp 35 + volumes: 36 + - ./conf:/etc/caddy 37 + - caddy_config:/config 38 + - caddy_data:/data 39 + 40 + anubis: 41 + image: ghcr.io/techarohq/anubis:latest 42 + pull_policy: always 43 + environment: 44 + BIND: ":3000" 45 + TARGET: http://httpdebug:3000 46 + 47 + httpdebug: 48 + image: ghcr.io/xe/x/httpdebug 49 + pull_policy: always 50 + 51 + volumes: 52 + caddy_data: 53 + caddy_config: 54 + ``` 55 + 56 + And then put the following in `conf/Caddyfile`: 57 + 58 + ```Caddyfile 59 + # conf/Caddyfile 60 + 61 + yourdomain.example.com { 62 + tls your@email.address 63 + 64 + reverse_proxy http://anubis:3000 { 65 + header_up X-Real-Ip {remote_host} 66 + header_up X-Http-Version {http.request.proto} 67 + } 68 + } 69 + ``` 70 + 71 + If you want to protect multiple services with Anubis, you will need to either start multiple instances of Anubis (Anubis requires less than 32 MB of ram on average) or set up a two-tier routing setup where TLS termination is done with one instance of Caddy and the actual routing to services is done with another instance of Caddy. See the [nginx](./nginx.mdx) or [Apache](./apache.mdx) documentation to get ideas on how you would do this.

+16

test/caddy/Caddyfile

···

··· 1 + :80 { 2 + reverse_proxy http://anubis:3000 { 3 + header_up X-Real-Ip {remote_host} 4 + header_up X-Http-Version {http.request.proto} 5 + } 6 + } 7 + 8 + :443 { 9 + tls /etc/techaro/pki/caddy.local.cetacean.club/cert.pem /etc/techaro/pki/caddy.local.cetacean.club/key.pem 10 + 11 + reverse_proxy http://anubis:3000 { 12 + header_up X-Real-Ip {remote_host} 13 + header_up X-Http-Version {http.request.proto} 14 + header_up X-Tls-Version {http.request.tls.version} 15 + } 16 + }

test/caddy/Dockerfile

···

··· 1 + # FROM caddy:2.10.0-builder AS builder 2 + 3 + # RUN xcaddy build \ 4 + # --with github.com/lolPants/caddy-requestid 5 + 6 + FROM caddy:2.10.0 AS run 7 + 8 + # COPY --from=builder /usr/bin/caddy /usr/bin/caddy 9 + COPY Caddyfile /etc/caddy/Caddyfile

+22

test/caddy/docker-compose.yaml

···

··· 1 + services: 2 + caddy: 3 + image: xxxtest/caddy 4 + build: . 5 + ports: 6 + - 8080:80 7 + - 8443:443 8 + volumes: 9 + - "../pki/caddy.local.cetacean.club:/etc/techaro/pki/caddy.local.cetacean.club/" 10 + 11 + anubis: 12 + image: ghcr.io/techarohq/anubis:main 13 + environment: 14 + BIND: ":3000" 15 + TARGET: http://httpdebug:3000 16 + POLICY_FNAME: /etc/techaro/anubis/less_paranoid.yaml 17 + volumes: 18 + - ../anubis_configs:/etc/techaro/anubis 19 + 20 + httpdebug: 21 + image: ghcr.io/xe/x/httpdebug 22 + pull_policy: always

+22

test/caddy/start.sh

···

··· 1 + #!/usr/bin/env bash 2 + 3 + # If the transient local TLS certificate doesn't exist, mint a new one 4 + if [ ! -f ../pki/caddy.local.cetacean.club/cert.pem ]; then 5 + # Subshell to contain the directory change 6 + ( 7 + cd ../pki \ 8 + && mkdir -p caddy.local.cetacean.club \ 9 + && \ 10 + # Try using https://github.com/FiloSottile/mkcert for better DevEx, 11 + # but fall back to using https://github.com/jsha/minica in case 12 + # you don't have that installed. 13 + ( 14 + mkcert \ 15 + --cert-file ./caddy.local.cetacean.club/cert.pem \ 16 + --key-file ./caddy.local.cetacean.club/key.pem caddy.local.cetacean.club \ 17 + || go tool minica -domains caddy.local.cetacean.club 18 + ) 19 + ) 20 + fi 21 + 22 + docker compose up --build