C

caddy

Dockerized Caddy Web Server (fork of github.com/abiosoft/caddy-docker)

Name Last Update
assets Loading commit data...
build Loading commit data...
gitlab Loading commit data...
.dockerignore Loading commit data...
.gitlab-ci.yml Loading commit data...
Dockerfile Loading commit data...
Dockerfile-gitlab Loading commit data...
LICENSE Loading commit data...
README.md Loading commit data...
entrypoint.sh Loading commit data...
index.html Loading commit data...

caddy

A Docker image for Caddy. This image includes the plugins to assist with Gitlab CE reverse proxying.

build status


Getting Started (GitLab)

The main purpose for creation of this image is to substitute removed NGINX from the gotfix/gitlab container image. This should be considered a good thing, since we no longer depend on the update of that image to update the frontend reverse proxy. As a bonus, Caddy will allow you to have SSL certificates with no additional cost, thanks to Let's Encrypt. Lets get started...

Pulling caddy image for Gitlab

We will start by making sure that the gotfix/caddy:latest-gitlab is pulled to the local host

$ docker pull gotfix/caddy:latest-gitlab

This should pull the latest image to your host and you should be able to start it now.

Configuring Caddy to front GitLab installation

The following command will start caddy on port 80 and 443, and will link it to the running Gitlab container with the name gitlab. Caddy will attempt to secure certificate for gitlab.example.com host using standard HTTP challenge. To use DNS Challenge, refer to DNS Challenge settings (Let's Encrypt).

$ docker run -d \
    --link=gitlab:gitlab \
    --env="GITLAB_HOST=gitlab.example.com" \
    --env="TLS_AGREE=true" \
    --env="CADDY_EMAIL=admin@example.com" \
    -v $HOME/.caddy:/root/.caddy \
    -p 80:80 -p 443:443 \
    gotfix/caddy:latest-gitlab

You can also give additional arguments to the caddy executable. For the list of available command line arguments for caddy, please refer to https://caddyserver.com/docs/cli

For docker-compose installation, plese refer to example gitlab docker-compose.

List of available configuration options

General Parameters

Parameter Description
DUMP_CADDY_CONFIG If set to true, will dump final Caddy configuration file to stdout. You can see it by executing docker logs -f caddy-gitlab. Default to false
DEBUG Enables DEBUG mode for the shell scripts. Default to false

GitLab

Parameter Description
GITLAB_HOST Hostname of the GitLab installation that is accessible externally. Default localhost. You will need to set it to FQDN to be able to have SSL/TLS enables
GITLAB_IP Gitlab workhorse IP address. Note that by default, localhost and 127.0.0.1 will be within container, unless you are setting --net=host. Defaults to the address of the linked gitlab container on port 8181.
GITLAB_PORT Port number that gitlab-workhorse is listening on. Dfault 8181.

GitLab Pages

Parameter Description
GITLAB_PAGES_HOST Domain for GitLab Pages. This should be a different domain/host from the GitLab itself, subdomains are OK too. No default. See https://docs.gitlab.com/ce/user/project/pages/index.html for more information.
GITLAB_PAGES_IP IP address of the gitlab-pages daemon. Default to the same IP as GITLAB_IP
GITLAB_PAGES_PORT Port that gitlab-pages daemon is listening on. Default 8090.

GitLab Registry

Parameter Description
GITLAB_REGISTRY_HOST Hostname of the registry server. No default.
GITLAB_REGISTRY_IP Registry service IP address. Note that by default, localhost and 127.0.0.1 will be within container, unless you are setting --net=host. Defaults to the address of the linked registry container on port 5000. Required if no linked container present.
GITLAB_REGISTRY_PORT Port that registry server is listening on. Default 5000.

Grafana

Parameter Description
GRAFANA_HOST Hostname of the Grafana server. No default.
GRAFANA_IP Grafana service IP address. Note that by default, localhost and 127.0.0.1 will be within container, unless you are setting --net=host. Defaults to the address of the linked grafana container on port 3000. Required if no linked container present.
GRAFANA_PORT Port that Grafana server is listening on. Default 3000.

Mattermost

Parameter Description
MM_HOST Hostname of the Mattermost server. No default.
MM_IP Mattermost service IP address. Note that by default, localhost and 127.0.0.1 will be within container, unless you are setting --net=host. Defaults to the address of the linked mattrmost container on port 8080. Required if no linked container present.
MM_PORT Port that Mattermost server is listening on. Default 8080.

TLS/SSL settings

Parameter Description
TLS_AGREE Indicates that you have read and agree to the Let's Encrypt Subscriber Agreement. If this flag is not set to true, it is possible that Caddy will prompt you to agree to terms during runtime. Thus, this flag is recommended in automated environments. Default to false
CADDY_EMAIL Email address to use for TLS certificate generation. It is required, so you can recover your account if you lose your private key. If an email is not available, Caddy will not enable TLS/SSL. No default.

DNS Challenge settings (Let's Encrypt)

Parameter Description
GL_TLS_DNS_PROVIDER See https://caddyserver.com/docs/automatic-https for the liat of available providers and corresponding settings. No default.
GLP_TLS_DNS_PROVIDER See https://caddyserver.com/docs/automatic-https for the liat of available providers and corresponding settings. No default.
GLR_TLS_DNS_PROVIDER See https://caddyserver.com/docs/automatic-https for the liat of available providers and corresponding settings. No default.
GRAFANA_TLS_DNS_PROVIDER See https://caddyserver.com/docs/automatic-https for the liat of available providers and corresponding settings. No default.
MM_TLS_DNS_PROVIDER See https://caddyserver.com/docs/automatic-https for the liat of available providers and corresponding settings. No default.
Example settings for enabling DNS Challenge

This image has placeholders for configuration of DNS Challenge providers but you will also need to supply corresponding settings (Enabling the DNS Challenge) to make it work. Below is the example of configuring Cloudflare as your DNS provider.

If you are using plain docker (not docker-compose), the follwoing additional --env settings will be required to run GitLab (similar setting are available for Pages and Registry):

$ docker run -d \
    --link=gitlab:gitlab \
    --env="GITLAB_HOST=gitlab.example.com" \
    --env="TLS_AGREE=true" \
    --env="CADDY_EMAIL=admin@example.com" \
    --env="GL_TLS_DNS_PROVIDER=cloudflare" \
    --env="CLOUDFLARE_EMAIL=admin@example.com" \
    --env="CLOUDFLARE_API_KEY=ffffffffffffffffffffffffffff" \
    -v $HOME/.caddy:/root/.caddy \
    -p 80:80 -p 443:443 \
    gotfix/caddy:latest-gitlab

For docker-compose, you will have to configure something similar to the following:

version: '2'

services:
  caddy:
    restart: always
    image: gotfix/caddy:latest-gitlab
    depends_on:
    - gitlab # Ensures that caddy will relink if gitlab container is restarted
    command:
    - -quic
    ports:
    - 80:80
    - 443:443
    environment:
    - TLS_AGREE=true # Indicates that you have read and agree to the Let's Encrypt Subscriber Agreement.
    - CADDY_EMAIL=admin@example.com # Make sure this email is yours and reachable
    - GITLAB_HOST=gitlab.example.com # Hostname of the GitLab installation that this server is reachable at
    - GITLAB_IP=gitlab # IP/Hostname of the running Gitlab service. This assume that Gitlab is configured in the same `services:` section under name gitlab.
    - GL_TLS_DNS_PROVIDER=cloudflare
    - CLOUDFLARE_EMAIL=admin@example.com
    - CLOUDFLARE_API_KEY=ffffffffffffffffffffffffffff
    volumes:
    - ./.caddy:/root/.caddy # Your certificates will be stored here
    - ./gitlab/caddy/logs:/var/log/caddy:Z # Caddy logs will be stored here

See example gitlab docker-compose for a more complete file.

CDN

Parameter Description
CLOUDFLARE_FRONT If you are using Cloudflare in front of your GitLab installation, set it to true. Default false

Getting Started (Plain)

$ docker run -d -p 2015:2015 gotfix/caddy

Point your browser to http://127.0.0.1:2015.

Be aware! If you don't bind mount the location certificates are saved to, you may hit Let's Encrypt rate limits rending further certificate generation or renewal disallowed (for a fixed period)! See "Saving Certificates" below!

Saving Certificates

Save certificates on host machine to prevent regeneration every time container starts. Let's Encrypt has rate limit.

$ docker run -d \
    -v $(pwd)/Caddyfile:/etc/Caddyfile \
    -v $HOME/.caddy:/root/.caddy \
    -p 80:80 -p 443:443 \
    gotfix/caddy

Here, /root/.caddy is the location inside the container where caddy will save certificates.

Additionally, you can use an environment variable to define the exact location caddy should save generated certificates:

$ docker run -d \
    -e "CADDYPATH=/etc/caddycerts" \
    -v $HOME/.caddy:/etc/caddycerts \
    -p 80:80 -p 443:443 \
    gotfix/caddy

Above, we utilize the CADDYPATH environment variable to define a different location inside the container for certificates to be stored. This is probably the safest option as it ensures any future docker image changes don't interfere with your ability to save certificates!

Using git sources

Caddy can serve sites from git repository using git plugin.

Create Caddyfile

Replace github.com/abiosoft/webtest with your repository.

$ printf "0.0.0.0\nroot src\ngit github.com/abiosoft/webtest" > Caddyfile
Run the image
$ docker run -d -v $(pwd)/Caddyfile:/etc/Caddyfile -p 2015:2015 gotfix/caddy

Point your browser to http://127.0.0.1:2015.

Usage

Default Caddyfile

The image contains a default Caddyfile.

0.0.0.0
root /srv
browse
log stdout
errors stdout

Paths in container

Caddyfile: /etc/Caddyfile

Sites root: /srv

Using local Caddyfile and sites root

Replace /path/to/Caddyfile and /path/to/sites/root accordingly.

$ docker run -d \
    -v /path/to/sites/root:/srv \
    -v path/to/Caddyfile:/etc/Caddyfile \
    -p 2015:2015 \
    gotfix/caddy

Let's Encrypt Auto SSL

Note that this does not work on local environments.

Use a valid domain and add email to your Caddyfile to avoid prompt at runtime. Replace example.com with your domain and user@example.com with your email.

example.com
tls user@example.com
Run the image

You can change the the ports if ports 80 and 443 are not available on host. e.g. 81:80, 444:443

$ docker run -d \
    -v $(pwd)/Caddyfile:/etc/Caddyfile \
    -p 80:80 -p 443:443 \
    gotfix/caddy