Configuring Caddy with Wildcard Subdomains
Welcome, diligent learners. Today, I’ll guide you through setting up a Caddy v2 server on Ubuntu, fully configured to support automatic HTTPS and wildcard subdomains, with DNS managed through DigitalOcean.
Prerequisites: An Ubuntu system with a user account featuring sudo
privileges and a domain name registered with DigitalOcean.
Step 1: Installing Caddy
Our journey begins with ensuring your system package lists are up to date. This is crucial to maintain software currency and security:
sudo apt-get update
Caddy is not available in the standard Ubuntu repositories, requiring direct download from its website. At the time of writing, the latest stable version is v2.6.4:
wget https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_linux_amd64.deb
Next, we’ll install Caddy with dpkg
, a Debian package manager tool:
sudo dpkg -i caddy_2.6.4_linux_amd64.deb
We should ensure Caddy was installed properly by checking its status:
systemctl status caddy
Step 2: Configuring Caddy for Wildcard Subdomains
With Caddy installed, we now focus on making it handle wildcard subdomains. This enables our server to route traffic from any subdomain (e.g., sub1.yourdomain.com, sub2.yourdomain.com) to our application.
This is achieved by editing Caddy’s main configuration file:
sudo nano /etc/caddy/Caddyfile
Now, insert the following server block:
*.yourdomain.com {
reverse_proxy 127.0.0.1:3000
}
The *.yourdomain.com
syntax signals that the server block should handle any subdomain of "yourdomain.com". reverse_proxy 127.0.0.1:3000
instructs Caddy to forward all traffic it receives to an application running on the localhost (127.0.0.1) at port 3000.
Remember to replace “yourdomain.com” with your actual domain.
Step 3: Activating Automatic HTTPS with DigitalOcean DNS
Now to the pièce de résistance: Caddy’s automatic HTTPS. Out of the box, Caddy secures your sites with HTTPS by obtaining SSL/TLS certificates from Let’s Encrypt. But for wildcard certificates, we need to perform DNS validation.
With DigitalOcean as our DNS provider, we’ll require our DigitalOcean API token. This token allows Caddy to make DNS changes during the ACME DNS challenge, necessary for wildcard certificates. You can generate an API token from the DigitalOcean dashboard (remember, this token is sensitive data!).
Here’s the updated configuration with DigitalOcean DNS:
*.yourdomain.com {
reverse_proxy 127.0.0.1:3000
tls {
dns digitalocean {env.DIGITALOCEAN_API_TOKEN}
}
}
Replace {env.DIGITALOCEAN_API_TOKEN}
with your actual DigitalOcean API token.
The tls
directive instructs Caddy to secure the connection using TLS. The nested dns digitalocean {env.DIGITALOCEAN_API_TOKEN}
is an instruction for Caddy to use DigitalOcean's DNS for the ACME DNS challenge, crucial for obtaining a wildcard certificate.
Once done, apply the changes by restarting Caddy:
sudo systemctl restart caddy
And there you have it! An expertly configured Caddy v2 server with wildcard subdomains, automatic HTTPS via Let’s Encrypt, and DNS management via DigitalOcean. Caddy gracefully handles certificate management, including automatic renewals.