Skip to content

Commit

Permalink
fix(caddy): TLS certificates trust on all platforms
Browse files Browse the repository at this point in the history
  • Loading branch information
lucasmirloup committed Sep 16, 2024
1 parent 0778dc5 commit 1247557
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 33 deletions.
18 changes: 4 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ Restart your browsers !

The base stack contains the minimal configuration related to web development.

- caddy
- adminer
- maildev
- memcached
- Caddy
- AdminerEvo
- MailDev
- Memcached

## Compose your stack

Expand All @@ -69,13 +69,3 @@ The repository currently supports these message brokers:
- rabbitmq 3.8

An optional watchtower service is available to update docker images automatically. Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file (default is `0 0 17 * * *`). You should also [login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token) to prevent rate limit issues.

## Troubleshooting

- If setup.sh respond `trust: install is not supported on this system`:

```shell
sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/root.crt
sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/intermediate.crt
sudo update-ca-trust
```
10 changes: 4 additions & 6 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ services:
- target: 443
published: ${HTTP3_PORT:-443}
protocol: udp
# Caddy admin API
- target: 2019
published: ${CADDY_ADMIN_PORT:-2019}
protocol: tcp
environment:
CADDY_INGRESS_NETWORKS: dev_public
volumes:
Expand All @@ -28,12 +32,6 @@ services:
caddy.tls: internal
caddy.respond: |-
/ "Healthy" 200
healthcheck:
test: [ "CMD", "wget", "-qO-", "http://localhost:2019/config" ]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
maildev:
restart: always
Expand Down
6 changes: 2 additions & 4 deletions proxy/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
FROM --platform=$TARGETPLATFORM caddy:2-alpine
FROM caddy:2-alpine
ARG TARGETOS
ARG TARGETARCH

ADD --chmod=500 https://caddyserver.com/api/download?os=${TARGETOS}&arch=${TARGETARCH}&p=github.com/lucaslorentz/caddy-docker-proxy/v2&p=github.com/dunglas/mercure/caddy&p=github.com/dunglas/vulcain/caddy /usr/bin/caddy

COPY Caddyfile /etc/caddy/Caddyfile

HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "wget", "-qO-", "http://localhost:2019/config" ]
HEALTHCHECK --interval=5s --timeout=5s --start-period=5s --retries=3 CMD [ "wget", "-qO-", "http://127.0.0.1:2019/config" ]

CMD ["caddy", "docker-proxy", "--caddyfile-path=/etc/caddy/Caddyfile"]
27 changes: 18 additions & 9 deletions setup.sh
Original file line number Diff line number Diff line change
@@ -1,14 +1,23 @@
#!/usr/bin/env bash

docker compose --ansi never up -d --build 2>& 1> /dev/null
docker compose cp proxy:/usr/bin/caddy /tmp/caddy
docker compose up -d 2>/dev/null

XDG_DATA_HOME=/var/lib/docker/volumes/dev_caddy_data/_data
docker compose exec proxy wget -q -O- --post-data='"0.0.0.0:2019"' --header='Content-Type:application/json' 'http://127.0.0.1:2019/config/admin/listen'

sudo XDG_DATA_HOME=${XDG_DATA_HOME} \
/tmp/caddy start 2&> /dev/null; \
/tmp/caddy untrust; \
/tmp/caddy trust; \
/tmp/caddy stop 2&> /dev/null; \
docker compose cp proxy:/usr/bin/caddy /tmp/caddy 2>/dev/null

rm /tmp/caddy
/tmp/caddy trust

# ArchLinux and derivatives, see https://wiki.archlinux.org/title/Transport_Layer_Security#Add_a_certificate_to_a_trust_store
if command -v trust &> /dev/null; then
sudo trust anchor /usr/local/share/ca-certificates/*.crt
sudo update-ca-trust
fi

rm -f /tmp/caddy

# Copy the certificate to a stable location (to simplify mounting on all Docker platforms)
sudo docker compose cp proxy:/data/caddy/pki/authorities/local/root.crt /etc/ssl/certs/Caddy.crt 2>/dev/null

echo "Certificats Caddy installés avec succès !"
echo "Vous pouvez désormais monter le fichier /etc/ssl/certs/Caddy.crt sur vos projets Docker."

0 comments on commit 1247557

Please sign in to comment.