Replace Nginx/Certbot with Caddy for automatic SSL
- Replaced nginx and certbot services with caddy in docker-compose-prod.yml - Added Caddyfile configuration with automatic SSL and security headers - Created setup-caddy.sh script for easy deployment - Caddy automatically handles Let's Encrypt certificates without manual setup - Much simpler SSL management compared to nginx/certbot combination
This commit is contained in:
48
Caddyfile
Normal file
48
Caddyfile
Normal file
@@ -0,0 +1,48 @@
|
||||
# Caddyfile für Stargirlnails Kiel
|
||||
# Automatisches SSL mit Let's Encrypt
|
||||
|
||||
stargirlnails.de {
|
||||
# Reverse Proxy zur Anwendung
|
||||
reverse_proxy stargirlnails:3000 {
|
||||
# Health Check
|
||||
health_uri /health
|
||||
health_interval 30s
|
||||
health_timeout 5s
|
||||
}
|
||||
|
||||
# Sicherheits-Header
|
||||
header {
|
||||
# Sicherheits-Header
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
X-Content-Type-Options "nosniff"
|
||||
X-XSS-Protection "1; mode=block"
|
||||
Referrer-Policy "strict-origin-when-cross-origin"
|
||||
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self';"
|
||||
|
||||
# HSTS (wird automatisch von Caddy gesetzt)
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
}
|
||||
|
||||
# Rate Limiting
|
||||
rate_limit {
|
||||
zone static {
|
||||
key {remote_host}
|
||||
events 10
|
||||
window 1m
|
||||
}
|
||||
}
|
||||
|
||||
# Gzip-Kompression
|
||||
encode gzip
|
||||
|
||||
# Logging
|
||||
log {
|
||||
output file /var/log/caddy/access.log
|
||||
format json
|
||||
}
|
||||
}
|
||||
|
||||
# HTTP zu HTTPS Redirect (automatisch von Caddy)
|
||||
http://stargirlnails.de {
|
||||
redir https://stargirlnails.de{uri} permanent
|
||||
}
|
||||
@@ -23,44 +23,30 @@ services:
|
||||
start_period: 40s
|
||||
# Keine Abhängigkeit zu nginx, um Dependency-Zyklen zu vermeiden
|
||||
|
||||
# Nginx Reverse Proxy
|
||||
nginx:
|
||||
image: nginx:alpine
|
||||
container_name: stargirlnails-nginx
|
||||
# Caddy Reverse Proxy mit automatischem SSL
|
||||
caddy:
|
||||
image: caddy:2-alpine
|
||||
container_name: stargirlnails-caddy
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
- ./nginx/conf.d:/etc/nginx/conf.d:ro
|
||||
- certbot-certs:/etc/letsencrypt:ro
|
||||
- certbot-webroot:/var/www/certbot:ro
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- caddy-data:/data
|
||||
- caddy-config:/config
|
||||
networks:
|
||||
- stargirlnails-network
|
||||
depends_on:
|
||||
- stargirlnails
|
||||
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
|
||||
|
||||
# Certbot für SSL-Zertifikate
|
||||
certbot:
|
||||
image: certbot/certbot
|
||||
container_name: stargirlnails-certbot
|
||||
restart: "no"
|
||||
volumes:
|
||||
- certbot-certs:/etc/letsencrypt
|
||||
- certbot-webroot:/var/www/certbot
|
||||
networks:
|
||||
- stargirlnails-network
|
||||
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||
|
||||
# Volumes für persistente Daten
|
||||
volumes:
|
||||
storage-data:
|
||||
driver: local
|
||||
certbot-certs:
|
||||
caddy-data:
|
||||
driver: local
|
||||
certbot-webroot:
|
||||
caddy-config:
|
||||
driver: local
|
||||
|
||||
# Netzwerk für interne Kommunikation
|
||||
|
||||
103
scripts/setup-caddy.sh
Normal file
103
scripts/setup-caddy.sh
Normal file
@@ -0,0 +1,103 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Farben für Output
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
echo -e "${BLUE}🔧 Stargirlnails Kiel - Caddy Setup${NC}"
|
||||
echo "====================================="
|
||||
|
||||
# Prüfe ob .env-Datei existiert
|
||||
if [ ! -f .env ]; then
|
||||
echo -e "${RED}❌ .env-Datei nicht gefunden!${NC}"
|
||||
echo "Bitte erstelle eine .env-Datei mit DOMAIN und ADMIN_EMAIL"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Extrahiere DOMAIN aus .env
|
||||
DOMAIN=$(grep -E '^DOMAIN=' .env | cut -d '=' -f2- | tr -d '"')
|
||||
|
||||
if [ -z "$DOMAIN" ]; then
|
||||
echo -e "${RED}❌ DOMAIN nicht in .env gefunden!${NC}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}✅ Domain: $DOMAIN${NC}"
|
||||
|
||||
# Erkenne Docker Compose-Version
|
||||
if command -v docker-compose >/dev/null 2>&1; then
|
||||
DOCKER_COMPOSE="docker-compose"
|
||||
elif docker compose version >/dev/null 2>&1; then
|
||||
DOCKER_COMPOSE="docker compose"
|
||||
else
|
||||
echo -e "${RED}❌ Docker Compose nicht gefunden!${NC}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prüfe Docker-Berechtigungen
|
||||
SUDO=""
|
||||
if ! docker info >/dev/null 2>&1; then
|
||||
if command -v sudo >/dev/null 2>&1; then
|
||||
SUDO="sudo "
|
||||
echo -e "${YELLOW}⚠️ Docker benötigt Root-Rechte. Verwende 'sudo'.${NC}"
|
||||
else
|
||||
echo -e "${RED}❌ Docker läuft nicht und 'sudo' ist nicht verfügbar.${NC}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}✅ Verwende: ${SUDO}${DOCKER_COMPOSE}${NC}"
|
||||
|
||||
# Erstelle Docker Volumes
|
||||
echo -e "${YELLOW}📦 Erstelle Docker Volumes...${NC}"
|
||||
${SUDO}docker volume create caddy-data 2>/dev/null || true
|
||||
${SUDO}docker volume create caddy-config 2>/dev/null || true
|
||||
${SUDO}docker volume create storage-data 2>/dev/null || true
|
||||
|
||||
# Aktualisiere Caddyfile mit der korrekten Domain
|
||||
echo -e "${YELLOW}📝 Aktualisiere Caddyfile...${NC}"
|
||||
sed "s/stargirlnails.de/$DOMAIN/g" Caddyfile > Caddyfile.tmp
|
||||
mv Caddyfile.tmp Caddyfile
|
||||
|
||||
# Stoppe alte Services
|
||||
echo -e "${YELLOW}🛑 Stoppe alte Services...${NC}"
|
||||
${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml down
|
||||
|
||||
# Starte alle Services
|
||||
echo -e "${YELLOW}🚀 Starte alle Services...${NC}"
|
||||
${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml up -d
|
||||
|
||||
# Warte kurz
|
||||
echo -e "${YELLOW}⏳ Warte auf Services...${NC}"
|
||||
sleep 15
|
||||
|
||||
# Prüfe Status
|
||||
echo -e "${YELLOW}🔍 Prüfe Service-Status...${NC}"
|
||||
|
||||
if ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml ps | grep -q "Up"; then
|
||||
echo -e "${GREEN}✅ Alle Services laufen!${NC}"
|
||||
echo ""
|
||||
echo -e "${BLUE}🌐 Deine Anwendung ist jetzt verfügbar unter:${NC}"
|
||||
echo -e "${GREEN} https://$DOMAIN${NC}"
|
||||
echo -e "${GREEN} http://$DOMAIN (leitet zu HTTPS weiter)${NC}"
|
||||
echo ""
|
||||
echo -e "${BLUE}📋 Nützliche Befehle:${NC}"
|
||||
echo " Status anzeigen: ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml ps"
|
||||
echo " Logs anzeigen: ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml logs -f"
|
||||
echo " Services stoppen: ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml down"
|
||||
echo " Caddy Logs: ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml logs caddy"
|
||||
echo ""
|
||||
echo -e "${YELLOW}⚠️ Hinweis:${NC}"
|
||||
echo " - SSL-Zertifikate werden automatisch von Caddy erstellt und erneuert"
|
||||
echo " - Keine manuelle SSL-Konfiguration erforderlich"
|
||||
echo " - Überwache die Caddy-Logs für SSL-Status"
|
||||
else
|
||||
echo -e "${RED}❌ Einige Services sind nicht gestartet!${NC}"
|
||||
echo "Prüfe die Logs: ${SUDO}${DOCKER_COMPOSE} -f docker-compose-prod.yml logs"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}✅ Caddy-Setup abgeschlossen!${NC}"
|
||||
Reference in New Issue
Block a user