Use Caddy to map HTTPS to PagePark

Nov 30, 2021

3 min read

Scott Hanson

I've started a GitHub repository at scotthansonde/DrummerNotes for my notes and code about Drummer. I'm cross-posting my first note on using Caddy with PagePark here. PagePark is a"simple Node.js folder-based HTTP server that serves static and dynamic pages for domains". It isn't about Drummer per se, but would be a possible path for Drummer itself to run under HTTPS. This post is also a test of uploading Markdown from Drummer directly to a Gatsby blog.

Caddy is a very easy way to implement HTTPS for your PagePage domains. It is a web server that can do automatic HTTPS, automatically provisioning TLS certificates (from Let's Encrypt) for a domain and keep them renewed. It can even obtain TLS certificates on demand for your PagePark domains, without out having to configure the domains in Caddy.

How to

Here is an example of setting up Caddy on an existing PagePark installation on a Digital Ocean server running Ubuntu (assuming you have domains in your domains folder and have mapped port 80 to PagePark using iptables as in the instructions).

  1. Install the official Caddy package für Ubuntu per their instructions. This automatically starts and runs Caddy as a systemd service.
  2. Open the Caddy configuration file in the nano editor with sudo nano /etc/caddy/Caddyfile
  3. Replace the entire contents with:
{
  on_demand_tls {
    ask http://localhost:1339/isdomainvalid
    interval 2m
    burst    5
  }
}
https:// {
  tls {
    on_demand
  }
  reverse_proxy localhost:1339
}
  1. Restart the Caddy service with sudo service caddy restart
  2. Test https for one of your domains in the terminal with curl: e.g. curl https://www.example.com. This first time it will take several seconds for Caddy to request and obtain a certificate. It may even fail the first time, but then try again. The content of the index page of your domain should be printed to the terminal. That means it works!

This configuration means that both HTTP (over iptables) and HTTPS (over Caddy) will work for your domains!

Further cases and questions

Running Caddy without iptables mapping

If you have not mapped port 80 to PagePark, the configuration above will also listen to port 80 and redirect HTTP requests to HTTPS.

If you'd rather not redirect port 80, you can add a section for HTTP and disable redirects like this:

{
  auto_https disable_redirects
  on_demand_tls {
    ask http://localhost:1339/isdomainvalid
    interval 2m
    burst    5
  }
}
http:// {
  reverse_proxy localhost:1339
}
https:// {
  tls {
    on_demand
  }
  reverse_proxy localhost:1339
}

Removing iptables mapping so Caddy can handle HTTP

To delete an iptables rule you have to know the rule number. You can list the nat rules with

sudo iptables -t nat -v -L -n --line-number

The output will look something like this:

The number in front of the rule is the rule number. To delete these two rules, we need two commands

sudo iptables -t nat -D PREROUTING 1
sudo iptables -t nat -D OUTPUT 1

(changing the 1 at the end if your rule number is different).

What are the 'ask', 'interval' and 'burst' in the configuration?

They are for security purposes. They limit certificate requests to only domains configured in PagePage, and limits the rate of those requests. Otherwise an attacker can bombard your server with certificate requests for domains you don't even serve.

What about default domains?

Domains that are not explicitly in the domains directory will not be served automatic certificates. You can check the Caddy documentation for adding domains explicitly to the Caddy configuration.