caddy: HTTP 9000 HTTPS 9001; ACME webroot; firewalld open 9000/9001/80

This commit is contained in:
Hernâni Marques 2026-07-08 16:18:44 +02:00
parent b587bb0eeb
commit 5c0101f24b
No known key found for this signature in database
7 changed files with 249 additions and 17 deletions

View file

@ -1,13 +1,63 @@
# Port map (final):
# 9000 Caddy HTTP (redirect + ACME webroot)
# 9001 Caddy HTTPS
# 9010 taler-hacktivism (merchant nginx TLS)
# 9011 taler-exchange-hacktivism (exchange httpd)
# 9012 taler-bank-hacktivism (libeufin-bank)
{
email info+koopa@hacktivism.ch
http_port 8085
https_port 8443
http_port 9000
https_port 9001
auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
# on the public host — port 9001 is not the public HTTPS entry (443 is).
# That breaks sites after first visit (especially dual-stack clients).
servers {
protocols h1 h2
}
}
taler.hacktivism.ch {
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
reverse_proxy https://127.0.0.1:8081 {
transport http { tls_insecure_skip_verify }
header Alt-Svc "clear"
reverse_proxy https://127.0.0.1:9010 {
transport http {
tls_insecure_skip_verify
}
header_up Host {host}
}
}
exchange.hacktivism.ch {
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9011 {
header_up Host {host}
}
}
bank.hacktivism.ch {
header Alt-Svc "clear"
handle_path /intro/* {
root * /var/www/bank-landing
file_server
}
redir /intro /intro/ 302
redir / /intro/ 302
reverse_proxy 127.0.0.1:9012 {
header_up Host {host}
}
}
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
handle /.well-known/acme-challenge/* {
root * /var/www/acme
file_server
}
handle {
redir https://{host}{uri} permanent
}
}

View file

@ -1,4 +1,6 @@
# Caddy
# Caddy (host reverse proxy)
- 2026-07-07 taler LE (certbot)
- 2026-07-08 Caddy :443 with copied certs
- Config: `Caddyfile` (also mirrored under `configs/caddy/`)
- TLS certs on disk: `/etc/caddy/certs/{taler,exchange}.hacktivism.ch/`
- HTTP 9000: ACME webroot `/var/www/acme` + redirect to HTTPS
- HTTPS 9001: vhosts → backends 9010 / 9011