Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit12cb4f1

Browse files
authored
docs: add Caddy+LetsEncrypt TLS example (#4585)
* structure* docs: add Caddy+LetsEncrypt TLS example
1 parent0727c98 commit12cb4f1

File tree

4 files changed

+199
-0
lines changed

4 files changed

+199
-0
lines changed

‎docs/admin/configure.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,12 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`).
2323
>If you are providing TLS certificates directly to the Coder server, you must use a single certificate for the
2424
>root and wildcard domains. Multi-certificate support[is planned](https://github.com/coder/coder/pull/4150).
2525
26+
##TLS Certificates
27+
28+
The Coder server can directly use TLS certificates with`CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example.
29+
30+
- Example:[Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
31+
2632
##PostgreSQL Database
2733

2834
Coder uses a PostgreSQL database to store users, workspace metadata, and other deployment information.

‎examples/web-server/caddy/Caddyfile

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
coder.example.com,*.coder.example.com {
2+
reverse_proxylocalhost:3000
3+
tls {
4+
on_demand
5+
issuer acme {
6+
email email@example.com
7+
}
8+
}
9+
}

‎examples/web-server/caddy/README.md

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
#Caddy
2+
3+
This is an example configuration of how to use Coder with[caddy](https://caddyserver.com/docs). To use Caddy to generate TLS certificates, you'll need a domain name that resolves to your Caddy server.
4+
5+
##Getting started
6+
7+
###With docker-compose
8+
9+
1.[Install Docker](https://docs.docker.com/engine/install/) and[Docker Compose](https://docs.docker.com/compose/install/)
10+
11+
1. Start with our example configuration
12+
13+
```sh
14+
# Create a project folder
15+
cd$HOME
16+
mkdir coder-with-caddy
17+
cd coder-with-caddy
18+
19+
# Clone coder/coder and copy the Caddy example
20+
git clone https://github.com/coder/coder /tmp/coder
21+
mv /tmp/coder/examples/web-server/caddy$(pwd)
22+
```
23+
24+
1. Modify the[Caddyfile](./Caddyfile) and change the following values:
25+
26+
-`localhost:3000`: Change to`coder:7080` (Coder container on Docker network)
27+
-`email@example.com`: Email to request certificates from LetsEncrypt/ZeroSSL (does not have to be Coder admin email)
28+
-`coder.example.com`: Domain name you're using for Coder.
29+
-`*.coder.example.com`: Domain name for wildcard apps, commonly used for[dashboard port forwarding](https://coder.com/docs/coder-oss/latest/networking/port-forwarding#dashboard). This is optional and can be removed.
30+
31+
1. Start Coder. Set`CODER_ACCESS_URL` and`CODER_WILDCARD_ACCESS_URL` to the domain you're using in your Caddyfile.
32+
33+
```sh
34+
export CODER_ACCESS_URL=https://coder.example.com
35+
export CODER_WILDCARD_ACCESS_URL=*.coder.example.com
36+
docker compose up -d# Run on startup
37+
```
38+
39+
###Standalone
40+
41+
1. If you haven't already,[install Coder](https://coder.com/docs/coder-oss/latest/install)
42+
43+
1. Install[Caddy Server](https://caddyserver.com/docs/install)
44+
45+
1. Copy our sample[Caddyfile](./Caddyfile) and change the following values:
46+
47+
>If you're installed Caddy as a system package, update the default Caddyfile with`vim /etc/caddy/Caddyfile`
48+
49+
-`email@example.com`: Email to request certificates from LetsEncrypt/ZeroSSL (does not have to be Coder admin email)
50+
-`coder.example.com`: Domain name you're using for Coder.
51+
-`*.coder.example.com`: Domain name for wildcard apps, commonly used for[dashboard port forwarding](https://coder.com/docs/coder-oss/latest/networking/port-forwarding#dashboard). This is optional and can be removed.
52+
-`localhost:3000`: Address Coder is running on. Modify this if you changed`CODER_ADDRESS` in the Coder configuration.
53+
54+
1.[Configure Coder](https://coder.com/docs/coder-oss/latest/admin/configure) and change the following values:
55+
56+
-`CODER_ACCESS_URL`: root domain (e.g.`https://coder.example.com`)
57+
-`CODER_WILDCARD_ACCESS_URL`: wildcard domain (e.g.`*.example.com`).
58+
59+
1. Start the Caddy server:
60+
61+
If you're[keeping Caddy running](https://caddyserver.com/docs/running) via a system service:
62+
63+
```sh
64+
sudo systemctl restart caddy
65+
```
66+
67+
Or run a standalone server:
68+
69+
```sh
70+
caddy run
71+
```
72+
73+
1. Optionally, use[ufw](https://wiki.ubuntu.com/UncomplicatedFirewall) or another firewall to disable external traffic outside of Caddy.
74+
75+
```sh
76+
# Check status of UncomplicatedFirewall
77+
sudo ufw status
78+
79+
# Allow SSH
80+
sudo ufw allow 22
81+
82+
# Allow HTTP, HTTPS (Caddy)
83+
sudo ufw allow 80
84+
sudo ufw allow 443
85+
86+
# Deny direct access to Coder server
87+
sudo ufw deny 3000
88+
89+
# Enable UncomplicatedFirewall
90+
sudo ufwenable
91+
```
92+
93+
1. Navigate to your Coder URL! A TLS certificate should be auto-generated on your first visit.
94+
95+
##Generating wildcard certificates
96+
97+
By default, this configuration uses Caddy's[on-demand TLS](https://caddyserver.com/docs/caddyfile/options#on-demand-tls) to generate a certificate for each subdomain (e.g.`app1.coder.example.com`,`app2.coder.example.com`). When users visit new subdomains, such as accessing[ports on a workspace](../../networking/port-forwarding.md), the request will take an additional 5-30 seconds since a new certificate is being generated.
98+
99+
For production deployments, we recommend configuring Caddy to generate a wildcard certificate, which requires an explicit DNS challenge and additional Caddy modules.
100+
101+
1. Install a custom Caddy build that includes the[caddy-dns](https://github.com/caddy-dns) module for your DNS provider (e.g. CloudFlare, Route53).
102+
103+
- Docker:[Build an custom Caddy image](https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modules) with the module for your DNS provider. Be sure to reference the new image in the`docker-compose.yaml`.
104+
105+
- Standalone:[Download a custom Caddy build](https://caddyserver.com/download) with the module for your DNS provider. If you're using Debian/Ubuntu, you[can configure the Caddy package](https://caddyserver.com/docs/build#package-support-files-for-custom-builds-for-debianubunturaspbian) to use the new build.
106+
107+
1. Edit your`Caddyfile` and add the necessary credentials/API tokens to solve the DNS challenge for wildcard certificates.
108+
109+
```diff
110+
tls {
111+
- on_demand
112+
issuer acme {
113+
email email@example.com
114+
}
115+
116+
+ dns route53 {
117+
+ max_retries 10
118+
+ aws_profile "real-profile"
119+
+ access_key_id "AKI..."
120+
+ secret_access_key "wJa..."
121+
+ token "TOKEN..."
122+
+ region "us-east-1"
123+
+ }
124+
}
125+
```
126+
127+
>Configuration reference from[caddy-dns/route53](https://github.com/caddy-dns/route53).
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
version:"3.9"
2+
services:
3+
coder:
4+
image:ghcr.io/coder/coder:${CODER_VERSION:-latest}
5+
environment:
6+
CODER_PG_CONNECTION_URL:"postgresql://${POSTGRES_USER:-username}:${POSTGRES_PASSWORD:-password}@database/${POSTGRES_DB:-coder}?sslmode=disable"
7+
CODER_ADDRESS:"0.0.0.0:7080"
8+
# You'll need to set CODER_ACCESS_URL to an IP or domain
9+
# that workspaces can reach. This cannot be localhost
10+
# or 127.0.0.1 for non-Docker templates!
11+
CODER_ACCESS_URL:"${CODER_ACCESS_URL}"
12+
# Optional) Enable wildcard apps/dashboard port forwarding
13+
CODER_WILDCARD_ACCESS_URL:"${CODER_WILDCARD_ACCESS_URL}"
14+
# If the coder user does not have write permissions on
15+
# the docker socket, you can uncomment the following
16+
# lines and set the group ID to one that has write
17+
# permissions on the docker socket.
18+
#group_add:
19+
# - "998" # docker group on host
20+
volumes:
21+
-/var/run/docker.sock:/var/run/docker.sock
22+
depends_on:
23+
database:
24+
condition:service_healthy
25+
database:
26+
image:"postgres:14.2"
27+
ports:
28+
-"5432:5432"
29+
environment:
30+
POSTGRES_USER:${POSTGRES_USER:-username}# The PostgreSQL user (useful to connect to the database)
31+
POSTGRES_PASSWORD:${POSTGRES_PASSWORD:-password}# The PostgreSQL password (useful to connect to the database)
32+
POSTGRES_DB:${POSTGRES_DB:-coder}# The PostgreSQL default database (automatically created at first launch)
33+
volumes:
34+
-coder_data:/var/lib/postgresql/data# Use "docker volume rm coder_coder_data" to reset Coder
35+
healthcheck:
36+
test:
37+
[
38+
"CMD-SHELL",
39+
"pg_isready -U ${POSTGRES_USER:-username} -d ${POSTGRES_DB:-coder}",
40+
]
41+
interval:5s
42+
timeout:5s
43+
retries:5
44+
caddy:
45+
image:caddy:2.6.2
46+
ports:
47+
-"80:80"
48+
-"443:443"
49+
-"443:443/udp"
50+
volumes:
51+
-$PWD/Caddyfile:/etc/caddy/Caddyfile
52+
-caddy_data:/data
53+
-caddy_config:/config
54+
volumes:
55+
coder_data:
56+
caddy_data:
57+
caddy_config:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp