Caddy Reverse-proxy for Aleph-VM
A reverse-proxy is required for production use. It allows:
- A different domain name for each VM function
- Secure connections using HTTPS
- Load balancing between multiple servers
Using a different domain name for each VM function is important when running web applications, both for security and usability purposes.
The VM Supervisor supports using domains in the form https://identifer.vm.yourdomain.org
, where
identifier is the identifier/hash of the message describing the VM function and yourdomain.org
represents your domain name.
1. Wildcard certificates
A wildcard certificate is recommended to allow any subdomain of your domain to work.
You can create one using Let's Encrypt and Certbot with the following instructions.
sudo apt install -y certbot
certbot certonly --manual --email email@yourdomain.org --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory --agree-tos \
-d 'vm.yourdomain.org,*.vm.yourdomain.org'
2. Caddy Server
In this documentation, we will install the modern Caddy reverse-proxy.
Replace vm.yourdomain.org
with your domain of choice.
To install on Debian/Ubuntu, according to the official instructions:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
Then give Caddy access to the certificates generated by Certbot:
chmod 750 /etc/letsencrypt/live/
chmod 750 /etc/letsencrypt/archive/
chmod 640 /etc/letsencrypt/archive/vm.yourdomain.org/privkey1.pem
chgrp -R caddy /etc/letsencrypt/archive/
chgrp -R caddy /etc/letsencrypt/live/
Configure Caddy:
cat >/etc/caddy/Caddyfile <<EOL
vm.yourdomain.org:443 {
tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
reverse_proxy http://127.0.0.1:4020 {
# Forward Host header to the backend
header_up Host {host}
}
}
*.vm.yourdomain.org:443 {
tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
reverse_proxy http://127.0.0.1:4020 {
# Forward Host header to the backend
header_up Host {host}
}
}
EOL
Optionally, you can allow users to host their website using their own domains using the following
configuration. Be careful about rate limits if you enable on_demand
TLS,
see the Caddy documentation on On-Demand TLS.
cat >/etc/caddy/Caddyfile <<EOL
{
on_demand_tls {
interval 60s
burst 5
}
}
vm.yourdomain.org:443 {
tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
reverse_proxy http://127.0.0.1:4020 {
header_up Host {host}
}
}
*.vm.yourdomain.org:443 {
tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
reverse_proxy http://127.0.0.1:4020 {
# Forward Host header to the backend
header_up Host {host}
}
}
*:443 {
tls {
on_demand
}
reverse_proxy http://127.0.0.1:4020 {
# Forward Host header to the backend
header_up Host {host}
}
}
EOL
Finally, restard Caddy: ```shell sudo systemctl restart caddy