Switching from Apache httpd to Caddy2

June 2022 HTTP/3 It’s been a year since the RFC was released. Several commonly used Web Servers on the market,Caddy Web Server was the first to support HTTP/3, and Nginx Support will not begin until version 1.25.0 on May 23, 2023. As for Apache httpd, I don’t know when it will support HTTP/3.
The reason why I plan to officially switch from Apache httpd to Caddy is because it is still troublesome to configure certificates and automatic renewal for Web Servers other than Caddy. As we all know, in general, most free certificates on the market are only valid for 90 days and need to be renewed before expiration. Using the acme.sh script for automatic renewal, and then nginx reload or httpd reload is sometimes unreliable and has a certain probability of failure. So we finally decided to use Caddy to solve the certificate problem once and for all.
This article is based on the LCMP (Linux + Caddy + MariaDB + PHP) environment and involves some details of switching to Caddy. I will record them here.

1. Caddy 2 configuration for WordPress

The .htaccess of Apache httpd for WordPress basically does not need to be converted, because Caddy 2 php_fastcgi The instructions have some presets made in advance.
php_fastcgi Commands are actually shortcuts to a series of commands. The specific explanation is as follows:

route {
	# 为目录请求添加尾部斜线
	@canonicalPath {
		file {path}/index.php
		not path */
	}
	redir @canonicalPath {path}/ 308
	# 如果请求的文件不存在，尝试索引文件
	@indexFiles file {
		try_files {path} {path}/index.php index.php
		split_path .php
	}
	rewrite @indexFiles {http.matchers.file.relative}
	# 将 PHP 文件代理给 FastCGI 应答器
	@phpFiles path *.php
	reverse_proxy @phpFiles  {
		transport fastcgi {
			split .php
		}
	}
}

Just disable access to some WordPress resources. For example, xmlrpc.php, and php files under wp-content/uploads.
The following configuration redirects prohibited resources to the homepage index.php.

www.example.com {
	header {
		Strict-Transport-Security "max-age=31536000; preload"
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
	}
	# Set this path to your site's directory.
	root * /data/www/yoursiterootfolder
	encode gzip
	@disallowed {
		path /xmlrpc.php
		path /wp-content/uploads/*.php
	}
	rewrite @disallowed /index.php
	# Serve a PHP site through php-fpm
	php_fastcgi unix//run/php-fpm/www.sock
	# Enable the static file server.
	file_server {
		index index.html
	}
	log {
		output file /var/log/caddy/ssl_access.log {
			roll_size 100mb
			roll_keep 3
			roll_keep_for 7d
		}
	}
}

Pay attention to replacing the domain name www.example.com For your own domain name and website root directory /data/www/yoursiterootfolder A path customized for you. At the same time, before this, the DNS of the domain name must also be resolved to the IP address of the server where Caddy is located.

2. Caddy 2 configuration for Typecho

The configuration applicable to Typecho is as follows:

www.example.com {
	header {
		Strict-Transport-Security "max-age=31536000; preload"
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
	}
	# Set this path to your site's directory.
	root * /data/www/yoursiterootfolder
	encode gzip
	handle_path / {
		try_files {path} {path}/ /index.php/{uri}
	}
	# Serve a PHP site through php-fpm
	php_fastcgi unix//run/php-fpm/www.sock
	# Enable the static file server.
	file_server {
		index index.html
	}
	log {
		output file /var/log/caddy/ssl_access.log {
			roll_size 100mb
			roll_keep 3
			roll_keep_for 7d
		}
	}
}

Typecho uses index.php for static routing by default, sotry_files {path} {path}/ /index.php/{uri}Unify URL parameters and redirect them to index.php.
Pay attention to replacing the domain name www.example.com For your own domain name and website root directory /data/www/yoursiterootfolder A path customized for you. At the same time, before this, the DNS of the domain name must also be resolved to the IP address of the server where Caddy is located.

3. Caddy 2 configuration for YOURLS

The configuration applicable to YOURLS is as follows:

www.example.com {
	header {
		Strict-Transport-Security "max-age=31536000; preload"
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
	}
	# Set this path to your site's directory.
	root * /data/www/yoursiterootfolder
	encode gzip
	route {
		try_files {path} {path}/index.php /yourls-loader.php
		php_fastcgi unix//run/php-fpm/www.sock {
			split .php
			index index.php
		}
	}
	# Enable the static file server.
	file_server {
		index index.html
	}
	log {
		output file /var/log/caddy/ssl_access.log {
			roll_size 100mb
			roll_keep 3
			roll_keep_for 7d
		}
	}
}

YOURLS is loaded by yourls-loader.php by default, sotry_files {path} {path}/index.php /yourls-loader.phpUnify the URL parameters by yourls-loader.php and try redirecting.
Pay attention to replacing the domain name www.example.com For your own domain name and website root directory /data/www/yoursiterootfolder A path customized for you. At the same time, before this, the DNS of the domain name must also be resolved to the IP address of the server where Caddy is located.

4. About the location of the certificate issued by Caddy 2

The biggest advantage of Caddy 2 is that the certificate can be easily transferred and HTTPS is automatic, so basically no one has to worry about it.
The default storage location of certificates issued by it should be in the following location after actual use experience.
Linux system

/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/

Windows system

C:\Windows\System32\config\systemprofile\AppData\Roaming\Caddy\certificates\acme-v02.api.letsencrypt.org-directory\

5. About Caddy 2 API

Caddy 2 can be configured by default by using the address localhost:2019 of RESTAPI Make HTTP access. Unless you know how to use it, it is recommended to disable it. Otherwise, Caddy 2 will listen to the 2019 port of localhost by default.
The disabling method is very simple. Set the following settings in the global configuration of Caddyfile.

{
	admin off
}

Of course, after it is disabled, it cannot be used. systemctl reload caddy command, because Caddy loads new configurations through the API.
use systemctl restart caddy Just issue the command to restart.

6. Switch summary

Caddy’s configuration file Caddyfile is simple to write, its syntax matcher is very powerful, its behavior is clear, and it requires many fewer lines to write than other Web Server configurations.
No need to worry about certificate issues, automatic HTTPS certificate application and renewal. Mom no longer has to worry about the website’s certificate expiring.
As for some people who say that the shortcoming of Caddy is that its performance is not as high as Nginx, this is a matter of opinion.
Another disadvantage of Caddy is that its binary file is relatively large, which is a common problem with software written in Go. Taking v2.6.4 as an example, the number of standard modules is 100, occupying 46MB. Nginx is written in C. Taking v1.25.0 as an example, its binary file occupies 1.6MB, which is indeed small. But these days, who cares about this little hard drive space, right?