RWejlgaard/pez-docs
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-docs.git synced 2026-05-06 03:34:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
pez-docs/principles/caddy/README.md
Rasmus Wejlgaard 4508f740e5 Update documentation for current setup 
- Update locations/london.md with current server state (london-a FreeBSD monitoring, london-b Ubuntu/ZFS storage, london-c offline)
- Update locations/copenhagen.md with current servers (copenhagen-a Minecraft+WoW, copenhagen-b offline, copenhagen-c general)
- Add locations/helsinki.md documenting helsinki-a (Caddy gateway, Authelia, Bitwarden, LDAP) and nuremberg-a (mail/poste.io)
- Add workloads/jellyfin, navidrome, nextcloud, arr-stack, minecraft, wow, mail, monitoring, bitwarden, authelia
- Add principles/zfs documenting the london-b ZFS pool setup
- Add principles/caddy documenting the reverse proxy setup on helsinki-a
- Update introduction.md to mention all locations
2026-03-04 09:41:57 +00:00

37 lines
1.5 KiB
Markdown
Raw Permalink Blame History

# Caddy
## Why
Caddy is my reverse proxy of choice. It handles TLS termination automatically via Let's Encrypt — no manual certificate management, no certbot cron jobs, no renewals to think about. You write a Caddyfile, point it at a subdomain, and TLS just works.
Compared to Nginx, the config is far less verbose. A reverse proxy block that takes 20 lines in Nginx takes 4 in Caddy.
## Where
Runs on **helsinki-a**, which is the public-facing edge server. All traffic from the internet hits helsinki-a first, then Caddy forwards it over Tailscale to the appropriate backend.
## How It Works
All public subdomains (pez.sh, pez.solutions) are DNS-proxied through Cloudflare. Cloudflare terminates the external TLS and forwards traffic to helsinki-a. Caddy then handles routing to the correct backend.
Backends are addressed by Tailscale IP or hostname — no need to open ports between servers on the public internet.
## Authelia Integration
For protected services, Caddy uses a `forward_auth` directive that calls Authelia before proxying the request. If the user isn't authenticated, Caddy redirects them to auth.pez.sh.
Example Caddyfile block:
```
radarr.pez.sh {
forward_auth helsinki-a:9091 {
uri /api/verify?rd=https://auth.pez.sh
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy london-b:7878
}
```
## TLS
Caddy obtains and renews certificates automatically via ACME (Let's Encrypt). No manual intervention required.
Reference in a new issue View git blame Copy permalink