abiosoft / caddy-docker Goto Github PK
View Code? Open in Web Editor NEWDocker container for Caddy
Home Page: https://hub.docker.com/r/abiosoft/caddy/
License: MIT License
Docker container for Caddy
Home Page: https://hub.docker.com/r/abiosoft/caddy/
License: MIT License
I tried to reload the configuration to make iterations faster with:
docker kill -s HUP caddy
But it didn't appear to work. This is my service file I was using btw: http://s.natalian.org/2016-01-10/caddy.service
if you look at https://github.com/BlackGlory/caddy-proxy you'll see that his package automatically regenerates a Caddyfile every time a new docker container gets fired. it looks at the environment variable, which contains the name we want the container to answer to, and maps appropriately.
it'd be great if this package could do this. reason: this package has 500+K pulls whilst BlackGlory's has 385 and gets no support. I can't make it work (I've already spent too much time trying) but I love the functionality
would it be difficult to do?
I read README, but not found how to activate several plugins for this container. For example, I want to activate ipfilter
plugin.
This is my Dockerfile
FROM abiosoft/caddy
RUN mkdir -p /root/.caddy/
RUN mkdir -p /root/gocode/callrecords-service/logs
COPY ./Caddyfile /etc/
Thanks for taking the time to create this docker. When I try to enter the docker container i receive an error. Did you purposely disable /bin/bash?
sudo docker exec -it mycaddy /bin/bash
rpc error: code = 2 desc = "oci runtime error: exec failed: exec: "/bin/bash": stat /bin/bash: no such file or directory"
Hi,
I want to rebuild docker image by myself like this:
caddy-docker:master ✓ ➭ docker build --no-cache=true -t caddytest .
Sending build context to Docker daemon 165.4 kB
Step 1 : FROM alpine:3.2
---> d6ead20d5571
Step 2 : MAINTAINER Abiola Ibrahim <[email protected]>
---> Running in e402e0822682
---> a8fd5f89bae8
Removing intermediate container e402e0822682
Step 3 : LABEL caddy_version "0.8" architecture "amd64"
---> Running in bec50acb46d3
---> bd13eec6afe3
Removing intermediate container bec50acb46d3
Step 4 : RUN apk add --update openssh-client git tar
---> Running in cc3b2d9b0f10
fetch http://dl-4.alpinelinux.org/alpine/v3.2/main/x86_64/APKINDEX.tar.gz
(1/15) Installing run-parts (4.4-r0)
(2/15) Installing openssl (1.0.2e-r0)
(3/15) Installing lua5.2-libs (5.2.4-r0)
(4/15) Installing lua5.2 (5.2.4-r0)
(5/15) Installing ncurses-terminfo-base (5.9-r3)
(6/15) Installing ncurses-widec-libs (5.9-r3)
(7/15) Installing lua5.2-posix (33.3.1-r2)
(8/15) Installing ca-certificates (20141019-r2)
(9/15) Installing libssh2 (1.5.0-r0)
(10/15) Installing curl (7.42.1-r0)
(11/15) Installing expat (2.1.0-r1)
(12/15) Installing pcre (8.37-r1)
(13/15) Installing git (2.4.1-r0)
(14/15) Installing openssh-client (6.8_p1-r4)
(15/15) Installing tar (1.28-r0)
Executing busybox-1.23.2-r0.trigger
Executing ca-certificates-20141019-r2.trigger
OK: 26 MiB in 30 packages
---> 3273f1881310
Removing intermediate container cc3b2d9b0f10
Step 5 : RUN mkdir /caddysrc && curl -sL -o /caddysrc/caddy_linux_amd64.tar.gz "http://caddyserver.com/download/build?os=linux&arch=amd64&features=git" && tar -xf /caddysrc/caddy_linux_amd64.tar.gz -C /caddysrc && mv /caddysrc/caddy /usr/bin/caddy && chmod 755 /usr/bin/caddy && rm -rf /caddysrc && printf "0.0.0.0\nbrowse" > /etc/Caddyfile
---> Running in 0a07b399743c
---> 2dc36f69ef3b
Removing intermediate container 0a07b399743c
Step 6 : RUN mkdir /srv
---> Running in e6810d635e75
---> c84590abf9ef
Removing intermediate container e6810d635e75
Step 7 : EXPOSE 2015
---> Running in d4c5fa86a59e
---> a363a3fa2473
Removing intermediate container d4c5fa86a59e
Step 8 : EXPOSE 443
---> Running in 99f368230894
---> b54375eda9e1
Removing intermediate container 99f368230894
Step 9 : EXPOSE 80
---> Running in e257eb6f71ee
---> 86b479f70fc7
Removing intermediate container e257eb6f71ee
Step 10 : WORKDIR /srv
---> Running in e80b958c5ace
---> c138f2b10bba
Removing intermediate container e80b958c5ace
Step 11 : ENTRYPOINT /usr/bin/caddy
---> Running in 657d63f28087
---> e26078730911
Removing intermediate container 657d63f28087
Step 12 : CMD --conf /etc/Caddyfile
---> Running in ea5f8c3b094e
---> 0ac0949135bd
Removing intermediate container ea5f8c3b094e
Successfully built 0ac0949135bd
But when start container -- I get error:
caddy-docker:master ✓ ➭ docker run -d -v /tmp/sharer:/srv -p 80:80 -p 443:443 caddytest
21e1969881a61e6953e8a05d8cc2742663243a69b475761cb1eddccb91b24625
Error response from daemon: Cannot start container 21e1969881a61e6953e8a05d8cc2742663243a69b475761cb1eddccb91b24625: [8] System error: no such file or directory
Some googling get me this issue moby/moby#14972
It refers to rebuild binary to statically linked, but in Dockerfile in this repo it just downloads prepared binary from caddyserver.com
In same time image pulled from docker hub works fine:
➭ docker run -d -v /tmp/sharer:/srv -p 80:2015 abiosoft/caddy
a675879b2ec65a277d4af35efe943b0c1a4c2909b210a6666f0a0ac81a469c3d
➭ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a675879b2ec6 abiosoft/caddy "/usr/bin/caddy --con" 5 seconds ago Up 4 seconds 80/tcp, 443/tcp, 0.0.0.0:80->2015/tcp jolly_easley
Please, can you show instructions to reproduce working image?
This took me sadly some time to figure out the issue. VOLUME
I believe prevents composer from writing out the dependencies to /srv/
FROM abiosoft/caddy:php
RUN touch /srv/foobar
RUN ls /srv/
And it needs to be there for a typical require 'vendor/autoload.php';
pattern.
BUT when I try composer global require aws/aws-sdk-php
it installs to /root/.composer/
and I get permission denied trying to use that directory.
I configured Docker Compose to set up Caddy, WordPress, and MySQL. The site works fine, except when I upload a theme it says "Unable to create directory wp-content/uploads/2016/09. Is its parent directory writable by the server?".
I am thinking that this is because I am using the PHP version of Caddy and that that is trying to add the theme files to the WordPress container by way of a mounted volume, and that WordPress's container doesn't recognize the Caddy container as the www-data user. Is that correct? How do I fix this?
Thanks
Hi there, great repo!
I have a question regarding 301 redirects.
I have an app that listens to a web server on url: http://app.example.com
, but now I've set up https with this repo, and it redirects all http requests to https.
So far so good.
But I found that the app doesn't work now because it requests the http
version, and the endpoint keeps returning 301 Moved Permanently
.
What do I do?
I've updated the URL in the app to https, but obviously I also want the http app-version to work.
How can I make the http route work again?
Would like to use alpine:latest, 3.6 at the time of this writing.
Any plans to include it?
Again, much appreciate this project. Are you taking any contributions? I'd like to add timezone and other options?
Currently /srv can not be directly set in the Kitematic UI, just /root.caddy.
Since the ipfilter addon is included by default, should the GeoLite2 Country database be copied into the image so filtering clients based on countries codes would be possible? I guess the other option would be to include instructions about how to add the database manually. One way would be to build a custom image based from this one which copies it to the newly created image. Adding it as a volume at run time might also work.
This is required for serving WebSocket secure. See https://caddyserver.com/docs/cli#http2.
I want to host several PHP sites in one container since having a container for each of my little sites is a bit overkill.
However if I duplicate fastcgi / 127.0.0.1:9000 php
it borks with a Address in use error.
Here are my configs: http://s.natalian.org/2016-02-11/bug.tar
Is there a better way to share one PHP FPM?
Should there be a USER instruction included in the Dockerfile for added security as described in https://www.youtube.com/watch?v=LmUw2H6JgJo?
Running this php file:
# index.php
<?php
die(session_start());
returns
PHP message: PHP Fatal error: Uncaught Error: Call to undefined function session_start() in /srv/index.php:3
PHP docs indicate that PHP sessions are enabled by default. Alpine ships PHP sessions as a separate package, php7-session
.
I think that package should be added to the abiosoft/caddy:php
image but if not, we should document how to add it.
It may be a good idea to compare php7 -i
in abiosoft/caddy:php
to php -i
in php:fpm-alpine
and add a few things that people expect to be there.
I solved this for my case with
FROM abiosoft/caddy:php
RUN apk --update add --no-cache \
php7-session \
&& rm -rf /var/cache/apk/*
It might make sense to use some small init daemon in order to handle signals:
https://github.com/Yelp/dumb-init
The only way to add more PHP extensions is forking the Dockerfile and hardcoding them?
Is there a reason why this uses the ADD
instruction over COPY
for the Caddyfile and index.html files? From what I understand, COPY
is generally preferred.
I can create a pull request if you want.
I thought about forking this repo, but that'd mean that my version will get outdated over time.
Is there any better solution? This surely can't be it.
@abiosoft Would you be able to provide some example docker-compose.yml
files for this and the official WordPress/MariaDB docker images? Being new to Docker, I'm having some trouble configuring it to get it to work.
I get this when I start up the caddy:php server, any ideas what is meant by this?
I know it's just an info notice, just curious what (and why) it's blocking.
2017/03/21 08:27:53 [INFO] Blocking Command:"php-fpm7 "
0.10.4 was recently released: https://github.com/mholt/caddy/releases/tag/v0.10.4
On the latest release I get a permission error when attempting to bind to 443:
443: bind: permission denied
[command]
docker run -d -p 80:80 -p 443:443 --name caddy -v $(pwd)/Caddyfile:/etc/Caddyfile -v $(pwd):/srv -v $(pwd):/root/.caddy abiosoft/caddy
Rolling back to 0.9.0 resolves the error.
I noticed that the user changed per your comment in another ticket, non-root now using caddy
.
Would setcap resolve the permissions issue ?
Hey guys,
The commit/change below broke the SSL on my live server all of the sudden. I'd want to inquiry about a couple of things in this regard -
Here's the commit I am referring to:
Why does caddy run as root, again? Why did you remove the separation with 0.9.3?
Do you think it's worth combining the two RUN
commands into a single one to reduce the number of layers? Also, it might be good to add a command near the end to remove the packages only needed for building the image (curl and tar). It'd probably look something like:
apk add --update --no-cache --virtual .build-deps tar curl \
&& apk add --update --no-cache openssh-client git \
...
apk del .build-deps
Also, why is openssh-client package needed?
JSON decoding is pretty common. Can you please add php-json to the packages?
kind: ConfigMap
apiVersion: v1
metadata:
name: caddy-config
data:
Caddyfile: |-
alerts.example.com:2015 {
proxy / monitoring-prometheus-alertmanager:80 {
}
header / {
#Include any headers for your site here
}
tls off
}
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: caddy-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: caddy
spec:
volumes:
- name: caddy-config-mount
configMap:
name: caddy-config
items:
- key: Caddyfile
path: Caddyfile
containers:
- name: caddy
image: abiosoft/caddy:0.10.0
ports:
- containerPort: 2015
volumeMounts:
- name: caddy-config-mount
mountPath: /etc
/srv # ping monitoring-prometheus-alertmanager
ping: bad address 'monitoring-prometheus-alertmanager'
/srv # cat /etc/resolv.conf
cat: can't open '/etc/resolv.conf': No such file or directory
/srv # curl 10.3.245.72
<!DOCTYPE html>
<html lang="en" ng-app="am">
<head>
...
kubectl get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
caddy-proxy 10.3.242.17 <none> 2015/TCP 15m
monitoring-prometheus-alertmanager 10.3.245.72 <none> 80/TCP 4d
I hit a bit of an odd problem using this in our environment. Basically I needed caddy to listen on 9000 but since php was using it the container would crash. It's probably best to use a unix socket for php-fpm since it doesn't talk to anyone but Caddy anyway.
I solved this in the Dockerfile with:
RUN sed -i 's|listen\s*=.*|listen = /var/run/php5-fpm.sock|' /etc/php/php-fpm.conf
And then I set the Caddyfile directive
fastcgi / unix:/var/run/php5-fpm.sock php
Maybe it's too odd to pull into the mainstream image. But I thought I'd bring it up anyway. Now caddy can bind anywhere it wants without conflict.
Official binaries of Caddy are now under EULA.
This makes the images distributed on docker hub non-compliant.
I'm not sure where this issue is from but I noticed when loading my Caddyfile
using this container I get 2 files created in my /srv
directory called 10
and access.log
.
Here's my Caddyfile
.
0.0.0.0:2015 {
gzip
log /logs/requests.log {
rotate_size 50 # Rotate after 50 MB
rotate_age 90 # Keep rotated files for 90 days
rotate_keep 10 # Keep at most 10 log files
rotate_compress # Compress rotated log files in gzip format
}
errors /logs/errors.log {
rotate_size 50 # Rotate after 50 MB
rotate_age 90 # Keep rotated files for 90 days
rotate_keep 10 # Keep at most 10 log files
rotate_compress # Compress rotated log files in gzip format
}
fastcgi / 127.0.0.1:9000 php # php variant only
startup php-fpm7 & # php variant only
}
After running this the files appear in $(pwd)/root/sites/user123/example.com/www
.
docker run -d \
-p 2015:2015 \
-v $(pwd)/.caddy/php/Caddyfile:/etc/Caddyfile \
-v $(pwd)/root/sites/user123/example.com/www:/srv \
-v $(pwd)/root/sites/user123/example.com/logs:/logs \
--name=example.com \
abiosoft/caddy:php
Hi @abiosoft
The latest build (0.10.9, published to docker hub 3hrs before this issue) contains the sponsor header that caddy master has already removed. Could you pull latest caddy and rebuild?
Thanks a lot for quickly setting up the built from source image.
Regards,
Po
Currently trying to use caddy as a reverse proxy for a simple web application hosted on a digitalocean droplet.
Although caddy seems to be configured correctly, the only response I get when accessing mysite.com
is a 301 to a bad https page.
Caddyfile:
mysite.com {
proxy / web:8083 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-Proto {scheme}
}
tls [email protected]
}
docker-compose.yml:
version: '2'
services:
caddy:
build: ./caddy
ports:
- 80:80
networks:
- frontend
web:
build: ./src/web
container_name: web
expose:
- "8083"
restart: "always"
networks:
- frontend
networks:
frontend:
volumes:
data: { }
I'm building the caddyfile myself because using docker-compose volumes doesn't seem to put the file on a remote host, or I'll get an 'oci error' (for which all issues in the docker repo just blame aufs).
The dockerfile for caddy looks like this:
FROM zzrot/alpine-caddy
COPY ./.caddy /root/.caddy
COPY ./Caddyfile /etc/Caddyfile
CMD ["caddy", "--conf", "/etc/Caddyfile"]
If I run docker-compose up
with the remote machine set in docker-machine
, it gives the following output:
caddy_1 | Activating privacy features... done.
Any request to mysite.com
returns a 301 to https://mysite.com
, but that request doesn't seem to go anywhere.
Curl gives the following output:
mysite master % curl -v mysite.com
* Rebuilt URL to: mysite.com/
* Trying 138.197.4.182...
* Connected to mysite.com (138.197.4.182) port 80 (#0)
> GET / HTTP/1.1
> Host: mysite.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://mysite.com/
< Server: Caddy
< Date: Wed, 02 Nov 2016 17:04:53 GMT
< Content-Length: 57
< Content-Type: text/html; charset=utf-8
<
<a href="https://mysite.com/">Moved Permanently</a>.
* Connection #0 to host mysite.com left intact
And in a browser, chrome just displays:
This site can’t be reached
mysite.com refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
Any ideas? Maybe I've misconfigured something. I've checked other issues here and in the caddy repo and can't find anything with quite the same problem.
#Trying to figure out why
proxy / IP:PORT
works but
proxy / domain:PORT
doesn't (times out or bad gateway)
Any idea what can be a problem? If I /bin/sh into caddy container, I can resolve domain to IP.
Using a shared network that supports IPv6.
Greetings!
I understand Caddy has some debug logging capability using the -log flag on the Caddy binary. Is there a way to output this to a file using the abiosoft/caddy container image?
The hope is that this debug spam will help me detect when I've made an error in my Caddyfile, or if Caddy is having problems negotiating a certificate on a new domain for some reason.
Thank you in advance! And thank you for maintaining the image!
Regards,
Phil
Noticed the times of my uploaded files were wrong. Is there some sort of ENV variable for setting for example Asia/Singapore
?
PHP v7.0.16 has a bug that throws this error under certain conditions: docker-library/php#376
I run into this error on my debian-based server:
ckeeney@staging $ cat /etc/issue
Debian GNU/Linux 8 \n \l
ckeeney@staging $ docker run --entrypoint=php abiosoft/caddy:php "-r random_int(0,1);"
PHP Fatal error: Uncaught Exception: Could not gather sufficient random data in Command line code:1
Stack trace:
#0 Command line code(1): random_int(0, 1)
#1 {main}
thrown in Command line code on line 1
I don't experience this problem on my Ubuntu-based laptop.
For quite a while, I've been thinking the php tag might be better built as FROM php:alpine
. Installing Caddy is easy, it's just an executable. The way it is currently built restricts us to using exactly the version of PHP made available through the alpine repos.
When I built a container for Caddy with nodejs similar to the abiosoft/caddy:php
image, I started from node:alpine
and added Caddy. My nodejs + caddy Dockerfile looks something like this:
FROM node:7.2-alpine
RUN apk add --no-cache ack git curl
RUN npm install -g --progress=false \
create-react-app serve yarn
# install caddy
ARG plugins=http.git
RUN curl --silent --show-error --fail --location \
--header "Accept: application/tar+gzip, application/x-gzip, application/octet-stream" -o - \
"https://caddyserver.com/download/linux/amd64?plugins=${plugins}" \
| tar --no-same-owner -C /usr/bin/ -xz caddy \
&& chmod 0755 /usr/bin/caddy \
&& /usr/bin/caddy -version
WORKDIR /srv
COPY ./package.json /srv/package.json
COPY ./yarn.lock /srv/yarn.lock
RUN yarn
COPY . /srv
RUN yarn build
COPY ./Caddyfile /etc/Caddyfile
VOLUME /srv
EXPOSE 80
ENTRYPOINT ["/usr/bin/caddy"]
CMD ["--conf", "/etc/Caddyfile", "--log", "stdout"]
Running composer
returns
env: can't execute 'php': No such file or directory
Symlinking ln -sf /usr/bin/php7 /usr/bin/php
appears to fix the issue.
I'm receiving the following error using the caddy git plugin.
Activating privacy features... done.
fatal: unable to access 'https://github.com/julianvmodesto/julianvmodesto.com.git/': error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
It seems that ca-certificates is needed.
apk add ca-certificates
update-ca-certificates
I want to use restart: unless-stopped
on my containers, but I realized that doing so with Caddy would be a bad idea on first deploy in the case that DNS/ports/etc are incorrect, because auto-TLS will fail. If Caddy exits because of TLS errors, the restart policy starts it right back up again and that means a rate limit will quickly be hit.
I'm not totally sure how to fix this (which is why I'm opening an issue, maybe you have a good idea for this @abiosoft), but this is my theory - I think we should have a bash script as the entrypoint, which can write to a file when Caddy exits with an error before doing the exit itself. If it boots back up, the entrypoint script should check the existence of that file and do an early cancel or something, to prevent it from trying TLS again and likely failing again.
Basically the idea is just doing an extra layer to the exponential back-off that the docker restart policies have to be safer from hitting rate limits.
I don't think there's different error codes for categories of errors in Caddy, having it return different codes than just 1 might be good to help differentiate for something like this.
Does this make sense?
7df05c0#diff-3254677a7917c6c01f55212f86c57fbfR18
This change breaks images which inherit and copy static source updates directly into /srv
. Recreating containers with updated images will seemingly not take any effect, because volume mounts on /srv
and the old content of existing data volumes overloads the newer ones.
Although you will not change it, it should be mentioned in the readme.
AFAIK there is currently no way to remove volumes from derived images. More on that here: moby/moby#3465
A simple solution is to copy static sources into another directory like /var/www
and update your Caddyfile's root to this path.
Default php.ini is upload_max_filesize = 2M
which is a bit on the small size. Be good to nice way to override this (without mapping php.ini out) or just have better defaults like at least 10MB. Cheers!
It would be great if this container was tagged in a way that updates to this repo didn't mutate tags on dockerhub. We've been using the 0.9.1 tags of this repo for a while, and recently ran into a problem where one of our containers failed to restart.
It turned out the 0.9.1 tag was mutated when you switched from running as root
to running as caddy
, and the restart caused the latest version to be pulled, which was incompatible with our setup.
I'm very new to both docker and caddy so this could be something wonky in my configuration. I can get the docker container to work without any custom caddyfile or source files, i.e. if I curl localhost:2015
I get the html from the generated page. However, when I add a custom caddyfile the docker instance dies.
Some details about my server:
docker version
Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:22:43 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:22:43 2016
OS/Arch: linux/amd64
This is my Caddyfile:
[my-domain]:8080
root /srv
log ../access.log
the domain itself does point to the server in question.
When I try to run this (whether as root or not): docker run -d -v $(pwd)/srv:/srv -v $(pwd)/etc/Caddyfile:/etc/Caddyfile abiosoft/caddy
the container instantly closes and the log for the container is as follows:
Activating privacy features...
Your sites will be served over HTTPS automatically using Let's Encrypt.
By continuing, you agree to the Let's Encrypt Subscriber Agreement at:
https://acme-v01.api.letsencrypt.org/terms
Please enter your email address so you can recover your account if needed.
You can leave it blank, but you'll lose the ability to recover your account.
2016/09/12 23:42:56 could not save user: mkdir /home/caddy: permission denied
Email address:
I can also confirm that I have put my own user in the docker group, I also set the group of the caddyfile and everything in srv
to docker
.
here is my Caddyfile
tools.xxxx.com {
proxy / localhost:5004 {
transparent
}
# log / /home/caddy/logs/tools_access.log
}
But when I run caddy on the host directly, everything works well
It's not possible to use the current example command for "Using git sources" as git can't clone into a non-empty directory.
2016/07/27 14:42:02 cannot git clone into ., directory not empty
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.