Caddy Docker Compose Example

[acetousk]

Here's a docker-compose that I was able to get working with Caddy:

version: "3.8"

services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs:/certs
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    network_mode: "host"

  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - caddy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

With this as the Caddyfile:

https://cloud.domain.com:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000
}

I think that it'd be a good idea to have a .examples folder like in nextcloud/docker. This would help make the documentation more clear and easier to setup for everyone.

@szaimen Are you open to a PR to add this?

[szaimen]

Hello, I have something different in mind: See #588

[szaimen]

Adding many docker compose files to the repo is just too much maintenance work, imho. When we would change or add something we would need to change/address it everywhere. Having this in a thread allows the creators of each example to easily modify the examples themselves without the maintainer (me) needing to merge or create PRs...

[szaimen]

We already link to this thread from multiple places in the documentation itself and it is pinned so I don't think it will get lost :)

[szaimen]

@acetousk So would you be so kind to start adding your working example to the mentioned thread?

[Not-a-Cylon-010011100100111101010100]

sorry but just to say,. I've jsut been through the installation process and I couldn't agree more with @acetousk I've wasted so much time trying so many differnt variations of config files from the docs and then after all the to have to wade through a load of unorganised entries littered with comments and random setups - this couldn't be a more confusing/messier way to help people get started and honestly several times I was just going to give up and go somewhere else for it and so there is definitely a barrier to entry doing it this way. Setting this up should be as user-friendly as possible and honestly, you've got the polar opposite at the moment. I don't understand why we make this difficult and complicated when it doesn't need to be. Also just to say that this is not referenced all over the place at all as a place to go for example config files - I stumbled across it in one place only - on the reverse proxy instructions page. This would be a million times better in GitHub - and I don't understand at all the argument that doing it there doesn't scale - how is an unorganised random load of messages mixed in with general chit chat in any way more scalable than a GitHub repo. If maintenance work is needed then at least on GitHub it's controlled and maintained by the community -how are people going to go into other peoples comments to make updates

[acetousk]

It's not worth it to worry about the proxy to use.

I ended up using the nextcloud AIO docker container that handles all the configuration, backups, and auto upgrades. Very handy if you want a good experience.

[matthijsbro]

How would you add other urls to the Caddyfile that need reverse proxy? (because it doesn't work for me now, but I don't know where the issue lies). For example like below?

https://cloud1.domain.com:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000
}
https://cloud2.domain.com:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:7843
}

[szaimen]

If you want to point caddy running on the host network onto vaultwarden, you would need to publish the vaultwarden port on the host so that localhost works.

[matthijsbro]

Thansk for your reply. I'm thinking about this, but I just don't know how to do this. How do I 'publish the port'? Just in docker-compose

ports:
  - 80:80
  - 443:443

[szaimen]

yes in the docker-compose of the vaultwarden container. however not using port 80 and 443 obvously but instead port 7843

[szaimen]

It should work like this:

https://nc.domain.com:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000
}

https://vault.domain.com:443 {
#    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:7843
}

My docker-compose.yml

services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs:/certs
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    network_mode: "host"

  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - caddy

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=false  # Enable WebSocket notifications.
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://vault.domain.com
      - SMTP_HOST=mail.domain.com
      - [email protected]
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - [email protected]
      - SMTP_PASSWORD=123
      - ADMIN_TOKEN=123
    ports:
      - 127.0.0.1:7843:80
    volumes:
      - ./vw-data:/data

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed

[matthijsbro]

Thank you so much! This works. I hope that one day I gain the wisdom and knowledge to understand why :)
I'll study it a bit more.

[JPDF]

I just want to point out how important naming the volume is. If you don't name the volume the backup function wont work. I was having this issue when I followed the guide https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#caddy-recommended which lead me to this example.

This is what it should look like:

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # <-- VERY IMPORTANT

Since compose V2 is using the parent directory of the compose file as a prefix for the volumes to avoid naming collisions. This can be avoided by either naming the container as above or using the external option.
As @szaimen also answered here https://help.nextcloud.com/t/borg-cant-backup/141117/6

[matthijsbro]

To my shame I must admit I did not try to use that backup function yet. I will today however, and as a precaution I added the name statement. Although a docker volume ls shows all the volumes named already.

[matthijsbro]

Hmm, at first site that worked to the contrary. I had:

volumes:
  nextcloud_aio_mastercontainer:

I added your line with name: but when I restarted backup failed with exactly the error you linked to on help.nextcloud. Looking at my ip:8080 then suggested I install Nextcloud aio is if it wasn't installed. So I removed the line with name: again and voila, it is currently running a backup to /mnt/backup (where I mounted an external samba volume).

Perhaps to do with docker compose versions. But it was just an issue I didn't have :)

[JPDF]

Hm, intresting. Perhaps it is the compose versions. I am currently using v2.16.0. My compose file is in a folder named docker which resulted in volumes named with 'docker' as prefix docker_nextcloud_aio_mastercontainer which I noticed when the backup didn't find the configuration file since it is only looking for volume nextcloud_aio_mastercontainer. To resolve this without loosing my progress I manually created a new volume with the correct name and copied the content over, put the name: config in and rebuilt the container which was successful after that

[demuxer86]

I am coming from Truecharts with Traefik. I need newer versions of nextcloud, and they are severely behind.

When I try to deploy this stack, I get the following error. I think I need to create volumes manually, but I'm not quite sure the right way to do it?
Container vaultwarden Started Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/data/compose/54/Caddyfile" to rootfs at "/etc/caddy/Caddyfile": mount /data/compose/54/Caddyfile:/etc/caddy/Caddyfile (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

[szaimen]

If you want to run other services as well you need a reverse proxy like caddy.

[BrianHenryIE]

I used absolute paths for the host Docker and Portainer are running on:

  caddy:
...
    volumes:
      - /home/brian/Caddyfile:/etc/caddy/Caddyfile
      - /home/brian/certs:/certs
      - /home/brian/config:/config
      - /home/brian/data:/data
      - /home/brian/sites:/srv

I created the Caddyfile with nano Caddyfile and pasted in the configuration from above (edited to match my domain), and also ran mkdir certs; mkdir data; mkdir sites because those folders didn't exist already.

[demuxer86]

OK I believe I have it working. I can reach the caddy welcome page if I point to [portainer address]:80

This means caddy is working, and listening on port 80

From here, I can't find any guide that is easy to understand for the caddyfile. I can simply do this, but it's failing on ACME and TLS settings,

hacura.cc {
header Strict-Transport-Security max-age=31536000;
reverse_proxy 10.20.30.253:9443
}

I feel like I have a lot more to add to my caddy file...

[BrianHenryIE]

My Caddyfile is:

https://cloud.brianhenry.ie:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000
}

The differences are that your https:// and :443 are missing, and you're pointing to 9443.

services:
  nextcloud:
    image: nextcloud/all-in-one:latest
...
    ports:
      # - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 8080:8080
      # - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

    environment: # Is needed when using any of the options below
      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

Have you commented out the two ports which say "Can be removed" and uncommented Apache "Is needed" and "Should be set"?

And have you port forwarding configured on your router? I have 80:80 443:443 8080:8080 and 8443:8443, all pointing to my PI, although I think the latter two should be removed!(edit: removed without issue)

[demuxer86]

And have you port forwarding configured on your router? I have 80:80 443:443 8080:8080 and 8443:8443, all pointing to my PI, although I think the latter two should be removed!

BALLS!!!! You are brilliant! I forgot my Traefik setup was on a different IP. I changed my router to forward to Caddy, and started getting a response.

Still not working with Portainer web gui. Frustrated, I tried my firewall web GUI

IT WORKS!

This is my caddyfile. It does not need https:// or 443 port. The Caddy docs explain it auto routes those anyway.

hacura.cc {
        reverse_proxy 10.20.30.1:82
}

So now I am off to the races. I don't know why Portainer web GUI won't connect. I get a secure HTTPS response, but the GUI won't parse through. I can deal with that for now, as I feel confident now I will get Nextcloud connected.

Thank you so much for responding. It's weird how far down rabbit holes you can go and completely miss the high level basics.

[WDMdanila]

Is there a way to configure caddy (and NC) in such a way that NC master container and Apache are actually fully behind it? What I want to achieve is that caddy docker is not in a host network so that I can point Caddy straight to the master container (which is technically done, but we still expose 8080 port for the master container as well as 11000 port for apache, which I would want to restrict to be reachable only through caddy)

Feels like such exposure of ports defeats the purpose of reverse proxy all together as services are reachable even without proxy.

Sorry for posting it here, did not know where to put such question and here seems like it would be the best place.

[devnoname120]

You can set APACHE_IP_BINDING=127.0.0.1 to limit access of Apache to stuff running locally on your server. It's not a silver bullet but it protects you from accidental exposure to your local network and/or the public internet.

By default APACHE_IP_BINDING=0.0.0.0 which means bind on all network interfaces — if you don't have a NAT in front of your server it even makes it publicly accessible.

[jm355]

This is what I did to use the dns check with duckdns:

~/Caddy/Dockerfile

FROM caddy:latest AS builder

RUN caddy add-package github.com/caddy-dns/duckdns

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

~/compose.yaml

version: "3.6"

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
      - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 --keep-yearly=4
      - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes
      - NEXTCLOUD_ENABLE_DRI_DEVICE=true
      - SKIP_DOMAIN_VALIDATION=true
    depends_on:
      - caddy

  caddy:
    build: ./Caddy
    restart: unless-stopped
    container_name: caddy
    volumes:
     - ./Caddyfile:/etc/caddy/Caddyfile
     - ./certs:/certs
     - ./config:/config
     - ./data:/data
     - ./sites:/srv
    network_mode: host

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

~/Caddyfile

{
	auto_https disable_redirects
}
https://<domain>.duckdns.org:443 {
	reverse_proxy localhost:11000
	tls {
		dns duckdns <token>
	}
}

[nemr0]

i am new into this guys, I don't know where to place the caddy file how to add it in it's place for it all to run correctly.
i'm deploying docker-compose file using portainer.

[RealVishy]

Store the Caddyfile in the same directory as your docker-compose.yml

[timur-g]

How could we run caddy via docker run, so not having caddyfile but settting somehow reverse_proxy localhost:11000 ?
If that is possible, would volumes remain the same?
Is it OK that in Caddyfile I set twice test.local? Asking because I cannot pass Domain validation in AIO.
This whole complication with caddy is because I want to test AIO in local machine where ports 80 443 are already used.

[Scorg]

I could not get this setup to work for me. The domain check just does not pass. The request comes as http on port 443, as per the docs, to which Caddy replies with "Client sent an HTTP request to an HTTPS server." Sending the request straight to Apache on $APACHE_PORT correctly replies with the expected string. Nothing I have tried to make Caddy pass this request to Apache works.

[pascalriemer]

Hi, why does this approach not work on my setup? #6084