akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
29acf06f75bd8a33c5ca2b830bde32de4f787ea6
caddy-proxy-manager/README.md
fuomag9 315192fb54 first rewrite commit
2025-10-31 20:08:28 +01:00

115 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Caddy Proxy Manager
Caddy Proxy Manager is a modern control panel for Caddy that simplifies reverse proxy configuration, TLS automation, access control, and observability. The entire application is built with Next.js and ships with a lean dependency set, OAuth2 login, and a battery of tools for managing hosts, redirects, streams, certificates, and Cloudflare DNS-based certificate issuance.
## Highlights
- **Next.js 14 App Router** UI and API in a single project, backed by an embedded SQLite database.
- **OAuth2 single sign-on** with PKCE and configurable claim mapping. The first authenticated user becomes the administrator.
- **End-to-end Caddy orchestration** using the admin API, generating JSON configurations for HTTP, HTTPS, redirects, custom 404 hosts, and TCP/UDP streams.
- **Cloudflare DNS challenge integration** via xcaddy-built Caddy binary with `cloudflare` and `layer4` modules; credentials are stored in the UI.
- **Access lists** (HTTP basic auth), custom certificates (managed or imported PEM), and a full audit log of administrative changes.
- **Default HSTS configuration** (`Strict-Transport-Security: max-age=63072000`) baked into every HTTP route to meet security baseline requirements.
## Project Structure
```
.
├── app/ # Next.js app router (auth, dashboard, APIs)
├── src/
│ └── lib/ # Database, Caddy integration, models, settings
├── docker/ # Dockerfiles for web + Caddy
├── compose.yaml # Production-ready docker compose definition
└── data/ # (Generated) SQLite database, TLS material, Caddy data
```
## Requirements
- Node.js 20+ (development)
- Docker + Docker Compose v2 (deployment)
- OAuth2 identity provider (OIDC compliant preferred)
- Optional: Cloudflare DNS API token for automated certificate issuance
## Quick Start
1. **Install dependencies**
```bash
npm install
```
> Package downloads require network access.
2. **Run the development server**
```bash
npm run dev
```
3. **Configure OAuth2**
- Visit `http://localhost:3000/setup/oauth`.
- Supply your identity providers authorization, token, and userinfo endpoints plus client credentials.
- Sign in; the first user becomes an administrator.
4. **Configure Cloudflare DNS (optional)**
- Navigate to **Settings → Cloudflare DNS**.
- Provide an API token with `Zone.DNS:Edit` scope and the relevant zone/account IDs.
- Any managed certificates attached to hosts will now request TLS via DNS validation.
## Docker Compose
`compose.yaml` defines a two-container stack:
- `app`: Next.js server with SQLite database and certificate store in `/data`.
- `caddy`: xcaddy-built binary with Cloudflare DNS provider and layer4 modules. The default configuration responds on `caddyproxymanager.com` and serves the required HSTS header:
```caddyfile
caddyproxymanager.com {
header Strict-Transport-Security "max-age=63072000"
respond "Caddy Proxy Manager is running" 200
}
```
Launch the stack:
```bash
docker compose up -d
```
Environment variables:
- `SESSION_SECRET`: random 32+ character string used to sign session cookies.
- `DATABASE_PATH`: path to the SQLite database (default `/data/app/app.db` in containers).
- `CERTS_DIRECTORY`: directory for imported PEM files shared with the Caddy container.
- `CADDY_API_URL`: URL for the Caddy admin API (default `http://caddy:2019` inside the compose network).
- `PRIMARY_DOMAIN`: default domain served by the bootstrap Caddyfile (defaults to `caddyproxymanager.com`).
## Data Locations
- `data/app/app.db`: SQLite database storing configuration, sessions, and audit log.
- `data/certs/`: Imported TLS certificates and keys generated by the UI.
- `data/caddy/`: Autogenerated Caddy state (ACME storage, etc.).
## UI Features
- **Proxy Hosts:** HTTP(S) reverse proxies with HSTS, access lists, optional custom certificates, and WebSocket support.
- **Redirects:** 301/302 responses with optional path/query preservation.
- **Dead Hosts:** Branded responses for offline services.
- **Streams:** TCP/UDP forwarding powered by the Caddy layer4 module.
- **Access Lists:** Bcrypt-backed basic auth credentials, assignable to proxy hosts.
- **Certificates:** Managed (ACME) or imported PEM certificates with audit history.
- **Audit Log:** Chronological record of every configuration change and actor.
- **Settings:** General metadata, OAuth2 endpoints, and Cloudflare DNS credentials.
## Development Notes
- SQLite schema migrations are embedded in `src/lib/migrations.ts` and run automatically on startup.
- Caddy configuration is rebuilt on every change and pushed via the admin API. Failures are surfaced to the UI.
- OAuth2 login uses PKCE and stores session tokens as HMAC-signed cookies backed by the database.
## License
MIT License © Caddy Proxy Manager contributors.
Reference in New Issue View Git Blame Copy Permalink