2.9 KiB
2.9 KiB
Caddy Multi-Service Routing
As of Jul 2026, Caddy on Core (netcup) serves 3 subdomains plus static file routes, all with automatic Let's Encrypt TLS.
Active domains
| Domain | Serves | Port upstream |
|---|---|---|
sign.itpropartner.com |
DocuSeal (reverse proxy) + vehicles.json static | 3000 |
core.itpropartner.com |
API endpoints (health, vehicles.json, capabilities) | Static files |
app.itpropartner.com |
Portal mockups (reverse proxy) | 8081 |
Caddyfile structure
Current config at /etc/caddy/Caddyfile:
sign.itpropartner.com {
reverse_proxy 127.0.0.1:3000
@json path /vehicles.json
handle @json {
root * /var/www/static
file_server
header Access-Control-Allow-Origin "*"
}
}
core.itpropartner.com {
header Access-Control-Allow-Origin "*"
@health path /health
handle @health {
respond "OK" 200
}
@vehicles path /vehicles.json
handle @vehicles {
root * /var/www/static
file_server
}
@capabilities path /capabilities
handle @capabilities {
root * /root/portal-mockup
file_server
}
}
app.itpropartner.com {
reverse_proxy 127.0.0.1:8081
}
Adding a new domain
- Add A record at SiteGround (or Cloudflare if zone is there) pointing to 152.53.192.33
- Add a new block to
/etc/caddy/Caddyfile - Run
systemctl reload caddy - Wait ~15s for Let's Encrypt cert — first request may take 10-15s
Adding a static file route to an existing domain
Use the handle @name path /path pattern:
domain.com {
reverse_proxy 127.0.0.1:3000 # existing proxy
@newfile path /data.json # new route
handle @newfile {
root * /path/to/files
file_server
header Access-Control-Allow-Origin "*"
}
}
Pitfalls
- File must be readable by caddy user. Caddy runs as the
caddyuser (not root). Files in/root/must be world-readable orchmod o+r. Use/var/www/static/for world-readable static files. - Reload vs restart.
systemctl reload caddyis preferred — no downtime. Usesystemctl restart caddywhen the Caddyfile had a parse error that prevented reload. - Full restart drops existing connections. After a restart, the 3 domains may each take 5-15s to get their Let's Encrypt certs on first request.
- Verify with curl localhost. Use
curl -s -H "Host: domain.com" http://127.0.0.1:xxx/to test routing before DNS propagates. - Cloudflare Tunnel alternative. If Tailscale Serve or Caddy port conflicts arise (port 443), Cloudflare Tunnel is installed (
cloudflaredat/usr/local/bin/cloudflared). Auth requires a browser login at the Cloudflare authorization URL. Tunnel doesn't need an open port — it creates outbound connections. - Tailscale Serve was stopped to free port 443 for Caddy. The old portal URL via Tailscale (vaultwarden.tailc2f3b0.ts.net/portal) is no longer active. Portal is now at app.itpropartner.com.