akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
315192fb543a81a17a8f54067b30cc8cafa76fd2
caddy-proxy-manager/README.md
fuomag9 315192fb54 first rewrite commit
2025-10-31 20:08:28 +01:00

4.8 KiB
Raw Blame History

Caddy Proxy Manager

Caddy Proxy Manager is a modern control panel for Caddy that simplifies reverse proxy configuration, TLS automation, access control, and observability. The entire application is built with Next.js and ships with a lean dependency set, OAuth2 login, and a battery of tools for managing hosts, redirects, streams, certificates, and Cloudflare DNS-based certificate issuance.

Highlights

  • Next.js 14 App Router UI and API in a single project, backed by an embedded SQLite database.
  • OAuth2 single sign-on with PKCE and configurable claim mapping. The first authenticated user becomes the administrator.
  • End-to-end Caddy orchestration using the admin API, generating JSON configurations for HTTP, HTTPS, redirects, custom 404 hosts, and TCP/UDP streams.
  • Cloudflare DNS challenge integration via xcaddy-built Caddy binary with cloudflare and layer4 modules; credentials are stored in the UI.
  • Access lists (HTTP basic auth), custom certificates (managed or imported PEM), and a full audit log of administrative changes.
  • Default HSTS configuration (Strict-Transport-Security: max-age=63072000) baked into every HTTP route to meet security baseline requirements.

Project Structure

.
├── app/                    # Next.js app router (auth, dashboard, APIs)
├── src/
│   └── lib/                # Database, Caddy integration, models, settings
├── docker/                 # Dockerfiles for web + Caddy
├── compose.yaml            # Production-ready docker compose definition
└── data/                   # (Generated) SQLite database, TLS material, Caddy data

Requirements

  • Node.js 20+ (development)
  • Docker + Docker Compose v2 (deployment)
  • OAuth2 identity provider (OIDC compliant preferred)
  • Optional: Cloudflare DNS API token for automated certificate issuance

Quick Start

  1. Install dependencies

    npm install

    Package downloads require network access.

  2. Run the development server

    npm run dev

  3. Configure OAuth2

    • Visit http://localhost:3000/setup/oauth.
    • Supply your identity providers authorization, token, and userinfo endpoints plus client credentials.
    • Sign in; the first user becomes an administrator.

  4. Configure Cloudflare DNS (optional)

    • Navigate to Settings → Cloudflare DNS.
    • Provide an API token with Zone.DNS:Edit scope and the relevant zone/account IDs.
    • Any managed certificates attached to hosts will now request TLS via DNS validation.

Docker Compose

compose.yaml defines a two-container stack:

  • app: Next.js server with SQLite database and certificate store in /data.

  • caddy: xcaddy-built binary with Cloudflare DNS provider and layer4 modules. The default configuration responds on caddyproxymanager.com and serves the required HSTS header:

    caddyproxymanager.com {
  header Strict-Transport-Security "max-age=63072000"
  respond "Caddy Proxy Manager is running" 200
}

Launch the stack:

docker compose up -d

Environment variables:

  • SESSION_SECRET: random 32+ character string used to sign session cookies.
  • DATABASE_PATH: path to the SQLite database (default /data/app/app.db in containers).
  • CERTS_DIRECTORY: directory for imported PEM files shared with the Caddy container.
  • CADDY_API_URL: URL for the Caddy admin API (default http://caddy:2019 inside the compose network).
  • PRIMARY_DOMAIN: default domain served by the bootstrap Caddyfile (defaults to caddyproxymanager.com).

Data Locations

  • data/app/app.db: SQLite database storing configuration, sessions, and audit log.
  • data/certs/: Imported TLS certificates and keys generated by the UI.
  • data/caddy/: Autogenerated Caddy state (ACME storage, etc.).

UI Features

  • Proxy Hosts: HTTP(S) reverse proxies with HSTS, access lists, optional custom certificates, and WebSocket support.
  • Redirects: 301/302 responses with optional path/query preservation.
  • Dead Hosts: Branded responses for offline services.
  • Streams: TCP/UDP forwarding powered by the Caddy layer4 module.
  • Access Lists: Bcrypt-backed basic auth credentials, assignable to proxy hosts.
  • Certificates: Managed (ACME) or imported PEM certificates with audit history.
  • Audit Log: Chronological record of every configuration change and actor.
  • Settings: General metadata, OAuth2 endpoints, and Cloudflare DNS credentials.

Development Notes

  • SQLite schema migrations are embedded in src/lib/migrations.ts and run automatically on startup.
  • Caddy configuration is rebuilt on every change and pushed via the admin API. Failures are surfaced to the UI.
  • OAuth2 login uses PKCE and stores session tokens as HMAC-signed cookies backed by the database.

License

MIT License © Caddy Proxy Manager contributors.

Reference in New Issue View Git Blame Copy Permalink