abiosoft / caddy-docker Goto Github PK

I want to use restart: unless-stopped on my containers, but I realized that doing so with Caddy would be a bad idea on first deploy in the case that DNS/ports/etc are incorrect, because auto-TLS will fail. If Caddy exits because of TLS errors, the restart policy starts it right back up again and that means a rate limit will quickly be hit.

I'm not totally sure how to fix this (which is why I'm opening an issue, maybe you have a good idea for this @abiosoft), but this is my theory - I think we should have a bash script as the entrypoint, which can write to a file when Caddy exits with an error before doing the exit itself. If it boots back up, the entrypoint script should check the existence of that file and do an early cancel or something, to prevent it from trying TLS again and likely failing again.

Basically the idea is just doing an extra layer to the exponential back-off that the docker restart policies have to be safer from hitting rate limits.

I don't think there's different error codes for categories of errors in Caddy, having it return different codes than just 1 might be good to help differentiate for something like this.

Does this make sense?

This took me sadly some time to figure out the issue. VOLUME I believe prevents composer from writing out the dependencies to /srv/

FROM abiosoft/caddy:php
RUN touch /srv/foobar
RUN ls /srv/

And it needs to be there for a typical require 'vendor/autoload.php'; pattern.

BUT when I try composer global require aws/aws-sdk-php it installs to /root/.composer/ and I get permission denied trying to use that directory.

Noticed the times of my uploaded files were wrong. Is there some sort of ENV variable for setting for example Asia/Singapore?

JSON decoding is pretty common. Can you please add php-json to the packages?

It might make sense to use some small init daemon in order to handle signals:
https://github.com/Yelp/dumb-init

Thanks for taking the time to create this docker. When I try to enter the docker container i receive an error. Did you purposely disable /bin/bash?

sudo docker exec -it mycaddy /bin/bash

rpc error: code = 2 desc = "oci runtime error: exec failed: exec: "/bin/bash": stat /bin/bash: no such file or directory"

Is there a reason why this uses the ADD instruction over COPY for the Caddyfile and index.html files? From what I understand, COPY is generally preferred.

• https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#/add-or-copy
• https://www.ctl.io/developers/blog/post/dockerfile-add-vs-copy/

I can create a pull request if you want.

Do you think it's worth combining the two RUN commands into a single one to reduce the number of layers? Also, it might be good to add a command near the end to remove the packages only needed for building the image (curl and tar). It'd probably look something like:

apk add --update --no-cache --virtual .build-deps tar curl \
&& apk add --update --no-cache openssh-client git \
...
apk del .build-deps 

Also, why is openssh-client package needed?

Official binaries of Caddy are now under EULA.
This makes the images distributed on docker hub non-compliant.

https://github.com/mholt/caddy/blob/master/dist/EULA.txt

Hi there, great repo!

I have a question regarding 301 redirects.
I have an app that listens to a web server on url: http://app.example.com, but now I've set up https with this repo, and it redirects all http requests to https.

So far so good.
But I found that the app doesn't work now because it requests the http version, and the endpoint keeps returning 301 Moved Permanently.

What do I do?
I've updated the URL in the app to https, but obviously I also want the http app-version to work.

How can I make the http route work again?

Hi @abiosoft

The latest build (0.10.9, published to docker hub 3hrs before this issue) contains the sponsor header that caddy master has already removed. Could you pull latest caddy and rebuild?

Thanks a lot for quickly setting up the built from source image.

Regards,
Po

It's not possible to use the current example command for "Using git sources" as git can't clone into a non-empty directory.

2016/07/27 14:42:02 cannot git clone into ., directory not empty

This is required for serving WebSocket secure. See https://caddyserver.com/docs/cli#http2.

Currently /srv can not be directly set in the Kitematic UI, just /root.caddy.

Running composer returns

env: can't execute 'php': No such file or directory

Symlinking ln -sf /usr/bin/php7 /usr/bin/php appears to fix the issue.

I thought about forking this repo, but that'd mean that my version will get outdated over time.

Is there any better solution? This surely can't be it.

Howdy,

Any news on a 0.8 release[1]?

[1] https://caddyserver.com/blog/caddy-0_8-released

I configured Docker Compose to set up Caddy, WordPress, and MySQL. The site works fine, except when I upload a theme it says "Unable to create directory wp-content/uploads/2016/09. Is its parent directory writable by the server?".

I am thinking that this is because I am using the PHP version of Caddy and that that is trying to add the theme files to the WordPress container by way of a mounted volume, and that WordPress's container doesn't recognize the Caddy container as the www-data user. Is that correct? How do I fix this?

Here is my setup.

Thanks

here is my Caddyfile

tools.xxxx.com {
	proxy / localhost:5004 {
		transparent
	}
#	log / /home/caddy/logs/tools_access.log
}

But when I run caddy on the host directly, everything works well

I read README, but not found how to activate several plugins for this container. For example, I want to activate ipfilter plugin.

This is my Dockerfile

FROM abiosoft/caddy

RUN mkdir -p /root/.caddy/
RUN mkdir -p /root/gocode/callrecords-service/logs
COPY ./Caddyfile /etc/

Running this php file:

# index.php
<?php
die(session_start());

returns

PHP message: PHP Fatal error:  Uncaught Error: Call to undefined function session_start() in /srv/index.php:3

PHP docs indicate that PHP sessions are enabled by default. Alpine ships PHP sessions as a separate package, php7-session.

I think that package should be added to the abiosoft/caddy:php image but if not, we should document how to add it.

It may be a good idea to compare php7 -i in abiosoft/caddy:php to php -i in php:fpm-alpine and add a few things that people expect to be there.

I solved this for my case with

FROM abiosoft/caddy:php
RUN apk --update add --no-cache \
    php7-session \
    && rm -rf /var/cache/apk/*

I get this when I start up the caddy:php server, any ideas what is meant by this?
I know it's just an info notice, just curious what (and why) it's blocking.

2017/03/21 08:27:53 [INFO] Blocking Command:"php-fpm7 "

Currently trying to use caddy as a reverse proxy for a simple web application hosted on a digitalocean droplet.

Although caddy seems to be configured correctly, the only response I get when accessing mysite.com is a 301 to a bad https page.

Caddyfile:

mysite.com {

	proxy / web:8083 {
		header_upstream Host {host}
		header_upstream X-Real-IP {remote}
		header_upstream X-Forwarded-Proto {scheme}
	}

	tls [email protected]
}

docker-compose.yml:

version: '2'

services:
  caddy:
    build: ./caddy 
    ports:
      - 80:80
    networks:
      - frontend
  web:
    build: ./src/web
    container_name: web
    expose:
      - "8083"
    restart: "always"
    networks:
      - frontend

networks:
  frontend:

volumes:
  data: { }

I'm building the caddyfile myself because using docker-compose volumes doesn't seem to put the file on a remote host, or I'll get an 'oci error' (for which all issues in the docker repo just blame aufs).

The dockerfile for caddy looks like this:

FROM zzrot/alpine-caddy
COPY ./.caddy /root/.caddy
COPY ./Caddyfile /etc/Caddyfile
CMD ["caddy", "--conf", "/etc/Caddyfile"]

If I run docker-compose up with the remote machine set in docker-machine, it gives the following output:
caddy_1 | Activating privacy features... done.

Any request to mysite.com returns a 301 to https://mysite.com, but that request doesn't seem to go anywhere.

Curl gives the following output:

mysite master % curl -v mysite.com
* Rebuilt URL to: mysite.com/
*   Trying 138.197.4.182...
* Connected to mysite.com (138.197.4.182) port 80 (#0)
> GET / HTTP/1.1
> Host: mysite.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://mysite.com/
< Server: Caddy
< Date: Wed, 02 Nov 2016 17:04:53 GMT
< Content-Length: 57
< Content-Type: text/html; charset=utf-8
<
<a href="https://mysite.com/">Moved Permanently</a>.

* Connection #0 to host mysite.com left intact

And in a browser, chrome just displays:

This site can’t be reached

mysite.com refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

Any ideas? Maybe I've misconfigured something. I've checked other issues here and in the caddy repo and can't find anything with quite the same problem.

@abiosoft Would you be able to provide some example docker-compose.yml files for this and the official WordPress/MariaDB docker images? Being new to Docker, I'm having some trouble configuring it to get it to work.

7df05c0#diff-3254677a7917c6c01f55212f86c57fbfR18

This change breaks images which inherit and copy static source updates directly into /srv. Recreating containers with updated images will seemingly not take any effect, because volume mounts on /srv and the old content of existing data volumes overloads the newer ones.

Although you will not change it, it should be mentioned in the readme.

AFAIK there is currently no way to remove volumes from derived images. More on that here: moby/moby#3465

A simple solution is to copy static sources into another directory like /var/www and update your Caddyfile's root to this path.

The only way to add more PHP extensions is forking the Dockerfile and hardcoding them?

It would be great if this container was tagged in a way that updates to this repo didn't mutate tags on dockerhub. We've been using the 0.9.1 tags of this repo for a while, and recently ran into a problem where one of our containers failed to restart.

It turned out the 0.9.1 tag was mutated when you switched from running as root to running as caddy, and the restart caused the latest version to be pulled, which was incompatible with our setup.

Would like to use alpine:latest, 3.6 at the time of this writing.

I hit a bit of an odd problem using this in our environment. Basically I needed caddy to listen on 9000 but since php was using it the container would crash. It's probably best to use a unix socket for php-fpm since it doesn't talk to anyone but Caddy anyway.

I solved this in the Dockerfile with:

RUN  sed -i 's|listen\s*=.*|listen = /var/run/php5-fpm.sock|' /etc/php/php-fpm.conf

And then I set the Caddyfile directive

fastcgi / unix:/var/run/php5-fpm.sock php

Maybe it's too odd to pull into the mainstream image. But I thought I'd bring it up anyway. Now caddy can bind anywhere it wants without conflict.

I'm receiving the following error using the caddy git plugin.

Activating privacy features... done.
fatal: unable to access 'https://github.com/julianvmodesto/julianvmodesto.com.git/': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

It seems that ca-certificates is needed.

apk add ca-certificates
update-ca-certificates

I'm not sure where this issue is from but I noticed when loading my Caddyfile using this container I get 2 files created in my /srv directory called 10 and access.log.

Here's my Caddyfile.

0.0.0.0:2015 {
    gzip
    log /logs/requests.log {
    	rotate_size 50  # Rotate after 50 MB
    	rotate_age  90  # Keep rotated files for 90 days
    	rotate_keep 10  # Keep at most 10 log files
    	rotate_compress # Compress rotated log files in gzip format
    }
    errors /logs/errors.log {
    	rotate_size 50  # Rotate after 50 MB
    	rotate_age  90  # Keep rotated files for 90 days
    	rotate_keep 10  # Keep at most 10 log files
    	rotate_compress # Compress rotated log files in gzip format
    }
    fastcgi / 127.0.0.1:9000 php # php variant only
    startup php-fpm7 & # php variant only
}

After running this the files appear in $(pwd)/root/sites/user123/example.com/www.

docker run -d \
   -p 2015:2015 \
   -v $(pwd)/.caddy/php/Caddyfile:/etc/Caddyfile \
   -v $(pwd)/root/sites/user123/example.com/www:/srv \
   -v $(pwd)/root/sites/user123/example.com/logs:/logs \
   --name=example.com \
   abiosoft/caddy:php

Again, much appreciate this project. Are you taking any contributions? I'd like to add timezone and other options?

Hi,

I want to rebuild docker image by myself like this:

caddy-docker:master ✓ ➭ docker build --no-cache=true -t caddytest .
Sending build context to Docker daemon 165.4 kB
Step 1 : FROM alpine:3.2
 ---> d6ead20d5571
Step 2 : MAINTAINER Abiola Ibrahim <[email protected]>
 ---> Running in e402e0822682
 ---> a8fd5f89bae8
Removing intermediate container e402e0822682
Step 3 : LABEL caddy_version "0.8" architecture "amd64"
 ---> Running in bec50acb46d3
 ---> bd13eec6afe3
Removing intermediate container bec50acb46d3
Step 4 : RUN apk add --update openssh-client git tar
 ---> Running in cc3b2d9b0f10
fetch http://dl-4.alpinelinux.org/alpine/v3.2/main/x86_64/APKINDEX.tar.gz
(1/15) Installing run-parts (4.4-r0)
(2/15) Installing openssl (1.0.2e-r0)
(3/15) Installing lua5.2-libs (5.2.4-r0)
(4/15) Installing lua5.2 (5.2.4-r0)
(5/15) Installing ncurses-terminfo-base (5.9-r3)
(6/15) Installing ncurses-widec-libs (5.9-r3)
(7/15) Installing lua5.2-posix (33.3.1-r2)
(8/15) Installing ca-certificates (20141019-r2)
(9/15) Installing libssh2 (1.5.0-r0)
(10/15) Installing curl (7.42.1-r0)
(11/15) Installing expat (2.1.0-r1)
(12/15) Installing pcre (8.37-r1)
(13/15) Installing git (2.4.1-r0)
(14/15) Installing openssh-client (6.8_p1-r4)
(15/15) Installing tar (1.28-r0)
Executing busybox-1.23.2-r0.trigger
Executing ca-certificates-20141019-r2.trigger
OK: 26 MiB in 30 packages
 ---> 3273f1881310
Removing intermediate container cc3b2d9b0f10
Step 5 : RUN mkdir /caddysrc && curl -sL -o /caddysrc/caddy_linux_amd64.tar.gz "http://caddyserver.com/download/build?os=linux&arch=amd64&features=git" && tar -xf /caddysrc/caddy_linux_amd64.tar.gz -C /caddysrc && mv /caddysrc/caddy /usr/bin/caddy && chmod 755 /usr/bin/caddy && rm -rf /caddysrc && printf "0.0.0.0\nbrowse" > /etc/Caddyfile
 ---> Running in 0a07b399743c
 ---> 2dc36f69ef3b
Removing intermediate container 0a07b399743c
Step 6 : RUN mkdir /srv
 ---> Running in e6810d635e75
 ---> c84590abf9ef
Removing intermediate container e6810d635e75
Step 7 : EXPOSE 2015
 ---> Running in d4c5fa86a59e
 ---> a363a3fa2473
Removing intermediate container d4c5fa86a59e
Step 8 : EXPOSE 443
 ---> Running in 99f368230894
 ---> b54375eda9e1
Removing intermediate container 99f368230894
Step 9 : EXPOSE 80
 ---> Running in e257eb6f71ee
 ---> 86b479f70fc7
Removing intermediate container e257eb6f71ee
Step 10 : WORKDIR /srv
 ---> Running in e80b958c5ace
 ---> c138f2b10bba
Removing intermediate container e80b958c5ace
Step 11 : ENTRYPOINT /usr/bin/caddy
 ---> Running in 657d63f28087
 ---> e26078730911
Removing intermediate container 657d63f28087
Step 12 : CMD --conf /etc/Caddyfile
 ---> Running in ea5f8c3b094e
 ---> 0ac0949135bd
Removing intermediate container ea5f8c3b094e
Successfully built 0ac0949135bd

But when start container -- I get error:

caddy-docker:master ✓ ➭ docker run -d -v /tmp/sharer:/srv -p 80:80 -p 443:443 caddytest
21e1969881a61e6953e8a05d8cc2742663243a69b475761cb1eddccb91b24625
Error response from daemon: Cannot start container 21e1969881a61e6953e8a05d8cc2742663243a69b475761cb1eddccb91b24625: [8] System error: no such file or directory

Some googling get me this issue moby/moby#14972
It refers to rebuild binary to statically linked, but in Dockerfile in this repo it just downloads prepared binary from caddyserver.com

In same time image pulled from docker hub works fine:

➭ docker run -d -v /tmp/sharer:/srv -p 80:2015 abiosoft/caddy       
a675879b2ec65a277d4af35efe943b0c1a4c2909b210a6666f0a0ac81a469c3d
➭ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                   NAMES
a675879b2ec6        abiosoft/caddy      "/usr/bin/caddy --con"   5 seconds ago       Up 4 seconds        80/tcp, 443/tcp, 0.0.0.0:80->2015/tcp   jolly_easley

Please, can you show instructions to reproduce working image?

Any plans to include it?

if you look at https://github.com/BlackGlory/caddy-proxy you'll see that his package automatically regenerates a Caddyfile every time a new docker container gets fired. it looks at the environment variable, which contains the name we want the container to answer to, and maps appropriately.

it'd be great if this package could do this. reason: this package has 500+K pulls whilst BlackGlory's has 385 and gets no support. I can't make it work (I've already spent too much time trying) but I love the functionality

would it be difficult to do?

I tried to reload the configuration to make iterations faster with:

 docker kill -s HUP caddy

But it didn't appear to work. This is my service file I was using btw: http://s.natalian.org/2016-01-10/caddy.service

I'm very new to both docker and caddy so this could be something wonky in my configuration. I can get the docker container to work without any custom caddyfile or source files, i.e. if I curl localhost:2015 I get the html from the generated page. However, when I add a custom caddyfile the docker instance dies.

Some details about my server:

• Ubuntu 14.04

docker version

Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:22:43 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:22:43 2016
 OS/Arch:      linux/amd64

This is my Caddyfile:

[my-domain]:8080
root /srv
log ../access.log

the domain itself does point to the server in question.

When I try to run this (whether as root or not): docker run -d -v $(pwd)/srv:/srv -v $(pwd)/etc/Caddyfile:/etc/Caddyfile abiosoft/caddy

the container instantly closes and the log for the container is as follows:

Activating privacy features...
Your sites will be served over HTTPS automatically using Let's Encrypt.
By continuing, you agree to the Let's Encrypt Subscriber Agreement at:
  https://acme-v01.api.letsencrypt.org/terms
Please enter your email address so you can recover your account if needed.
You can leave it blank, but you'll lose the ability to recover your account.
2016/09/12 23:42:56 could not save user: mkdir /home/caddy: permission denied
Email address:

I can also confirm that I have put my own user in the docker group, I also set the group of the caddyfile and everything in srv to docker.

PHP v7.0.16 has a bug that throws this error under certain conditions: docker-library/php#376

I run into this error on my debian-based server:

ckeeney@staging $ cat /etc/issue
Debian GNU/Linux 8 \n \l

ckeeney@staging $ docker run --entrypoint=php abiosoft/caddy:php "-r random_int(0,1);"
PHP Fatal error:  Uncaught Exception: Could not gather sufficient random data in Command line code:1
Stack trace:
#0 Command line code(1): random_int(0, 1)
#1 {main}
  thrown in Command line code on line 1

I don't experience this problem on my Ubuntu-based laptop.

For quite a while, I've been thinking the php tag might be better built as FROM php:alpine. Installing Caddy is easy, it's just an executable. The way it is currently built restricts us to using exactly the version of PHP made available through the alpine repos.

When I built a container for Caddy with nodejs similar to the abiosoft/caddy:php image, I started from node:alpine and added Caddy. My nodejs + caddy Dockerfile looks something like this:

FROM node:7.2-alpine
RUN apk add --no-cache ack git curl
RUN npm install -g --progress=false \
    create-react-app serve yarn

# install caddy
ARG plugins=http.git
RUN curl --silent --show-error --fail --location \
    --header "Accept: application/tar+gzip, application/x-gzip, application/octet-stream" -o - \
    "https://caddyserver.com/download/linux/amd64?plugins=${plugins}" \
    | tar --no-same-owner -C /usr/bin/ -xz caddy \
    && chmod 0755 /usr/bin/caddy \
    && /usr/bin/caddy -version

WORKDIR /srv
COPY ./package.json /srv/package.json
COPY ./yarn.lock /srv/yarn.lock
RUN yarn
COPY . /srv
RUN yarn build
COPY ./Caddyfile /etc/Caddyfile
VOLUME /srv
EXPOSE 80
ENTRYPOINT ["/usr/bin/caddy"]
CMD ["--conf", "/etc/Caddyfile", "--log", "stdout"]

Why does caddy run as root, again? Why did you remove the separation with 0.9.3?

be00e81

Hey guys,

The commit/change below broke the SSL on my live server all of the sudden. I'd want to inquiry about a couple of things in this regard -

1. What's your policy in regard to making changes that break stuff like this? Meaning is there a release notes document, a change log, release schedule or something I would subscribe to to be aware of coming changes?
2. Would you recommend not use "latest" image and freeze the one I am happy with? Not the best option in my opinion in case of security patch releases etc.
3. Any other options I would leverage to have my apps safe from such issues?

Here's the commit I am referring to:

be00e81#diff-04c6e90faac2675aa89e2176d2eec7d8R110

https://github.com/mholt/caddy/releases/tag/v0.8.3

0.10.4 was recently released: https://github.com/mholt/caddy/releases/tag/v0.10.4

Default php.ini is upload_max_filesize = 2M which is a bit on the small size. Be good to nice way to override this (without mapping php.ini out) or just have better defaults like at least 10MB. Cheers!

Should there be a USER instruction included in the Dockerfile for added security as described in https://www.youtube.com/watch?v=LmUw2H6JgJo?

#Trying to figure out why
proxy / IP:PORT
works but
proxy / domain:PORT
doesn't (times out or bad gateway)
Any idea what can be a problem? If I /bin/sh into caddy container, I can resolve domain to IP.
Using a shared network that supports IPv6.

Since the ipfilter addon is included by default, should the GeoLite2 Country database be copied into the image so filtering clients based on countries codes would be possible? I guess the other option would be to include instructions about how to add the database manually. One way would be to build a custom image based from this one which copies it to the newly created image. Adding it as a volume at run time might also work.

Greetings!

I understand Caddy has some debug logging capability using the -log flag on the Caddy binary. Is there a way to output this to a file using the abiosoft/caddy container image?

The hope is that this debug spam will help me detect when I've made an error in my Caddyfile, or if Caddy is having problems negotiating a certificate on a new domain for some reason.

Thank you in advance! And thank you for maintaining the image!

Regards,

Phil

I want to host several PHP sites in one container since having a container for each of my little sites is a bit overkill.

However if I duplicate fastcgi / 127.0.0.1:9000 php it borks with a Address in use error.

Here are my configs: http://s.natalian.org/2016-02-11/bug.tar

Is there a better way to share one PHP FPM?

On the latest release I get a permission error when attempting to bind to 443:

443: bind: permission denied

[command]
docker run -d -p 80:80 -p 443:443 --name caddy -v $(pwd)/Caddyfile:/etc/Caddyfile -v $(pwd):/srv -v $(pwd):/root/.caddy abiosoft/caddy

Rolling back to 0.9.0 resolves the error.

I noticed that the user changed per your comment in another ticket, non-root now using caddy.

Would setcap resolve the permissions issue ?