caddy和haproxy配置分享

caddy安装脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/caddy_manager.sh && chmod +x caddy_manager.sh && ./caddy_manager.sh

haproxy转发脚本 (基于caddy后端)

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/haproxy-ca.sh && chmod +x haproxy-ca.sh && ./haproxy-ca.sh

caddy备份恢复脚本

先安装rsync

sudo apt update
sudo apt install -y rsync

脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/caddy_backup.sh && chmod +x caddy_backup.sh && ./caddy_backup.sh

备份

./caddy_backup.sh backup

恢复

mkdir -p /opt/caddy-backups
./caddy_backup.sh restore /opt/caddy-backups/caddy-backup-20231201-120000.tar.gz

用法

# 赋予执行权限
chmod +x caddy_backup.sh

# 创建备份（自动命名）
sudo ./caddy_backup.sh backup

# 创建指定名称的备份
sudo ./caddy_backup.sh backup my-migration-backup

# 列出所有备份
./caddy_backup.sh list

# 恢复备份（会提示确认）
sudo ./caddy_backup.sh restore /opt/caddy-backups/caddy-backup-20231201-120000.tar.gz

# 强制恢复（不提示确认）
sudo ./caddy_backup.sh restore backup.tar.gz --force

# 查看帮助
./caddy_backup.sh help

证书目录

cd /var/lib/caddy/.local/share/caddy/certificates/

查看现有证书

sudo find /var/lib/caddy -name "*.crt" | grep -E "(1234|5678)"

重启

systemctl restart caddy

修正格式

caddy fmt --overwrite /etc/caddy/Caddyfile

haproxy脚本

安装脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/haproxy-d.sh && chmod +x haproxy-d.sh && ./haproxy-d.sh

恢复脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/restore_haproxy.sh && chmod +x restore_haproxy.sh && ./restore_haproxy.sh

验证

haproxy -c -f /etc/haproxy/haproxy.cfg

重启

systemctl restart haproxy

检查状态

systemctl status haproxy

haproxy站点配置

示例

global
    log /dev/log local0 warning
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    maxconn 20000
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s

defaults
    log global
    mode http                    # 改为 http 模式
    option dontlognull
    option httplog              # 启用 HTTP 日志
    option http-keep-alive
    option forwardfor           # 传递客户端真实IP
    timeout connect 5s          # 连接超时增加
    timeout client  30s         # 客户端超时增加
    timeout server  30s         # 服务器超时增加
    timeout http-keep-alive 15s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend http-in
    bind *:80
    redirect scheme https code 301 # 所有HTTP流量强制跳转HTTPS

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
	
    # 安全头
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   #http-response set-header X-Frame-Options "SAMEORIGIN"
   #http-response set-header Content-Security-Policy "frame-ancestors 'self'"
    http-response set-header X-Content-Type-Options "nosniff"
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header Referrer-Policy "strict-origin-when-cross-origin"

    # 路由逻辑,如果要添加更多域名到 backend1，继续在同一行添加
	
    acl domain1_https hdr(host) -i 123.cc www.123.cc 456.cc www.456.cc
    acl domain2_https hdr(host) -i 789.com www.789.com 158.org www.158.org
    acl domain3_https hdr(host) -i 236.com www.236.com 189.com www.189.com
	
    use_backend backend1 if domain1_https
    use_backend backend2 if domain2_https
    use_backend backend3 if domain3_https
    # 默认后端
    #default_backend backend1

backend backend1
    server server1 8.8.8.8:80 check inter 10s rise 2 fall 3


backend backend2
    server server2 9.9.9.9:80 check inter 10s rise 2 fall 3



backend backend3
    server server3 3.3.3.3:80 check inter 10s rise 2 fall 3

haproxy转发配置

示例

示例2推荐

global
    log /dev/log local0 warning
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    maxconn 20000
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s

defaults
    log global
    option dontlognull
    option clitcpka
    option srvtcpka
    timeout connect 5s
    timeout client  30s
    timeout server  30s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# =============================================================================
# 前端配置 - HTTP (80端口) - 简化为强制重定向HTTPS
# =============================================================================
frontend http-in
    bind *:80
    mode http
    option httplog
    option http-keep-alive      
    timeout http-keep-alive 15s
    # 所有HTTP流量强制跳转HTTPS
    redirect scheme https code 301

# =============================================================================
# 前端配置 - HTTPS (443端口) - 保留原有功能
# =============================================================================
frontend tcp_front_443
    bind *:443
    mode tcp
    option tcplog
    rate-limit sessions 2500
    
    # SSL SNI 检查配置
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    
    # Nginx 后端域名配置
    use_backend nginx_servers_443 if { req_ssl_sni -i www.1234.com }
    use_backend nginx_servers_443 if { req_ssl_sni -i 1234.com }
    #use_backend nginx_servers_443 if { req_ssl_sni -i www.example2.com }
    #use_backend nginx_servers_443 if { req_ssl_sni -i www.example3.com }
    
    # Caddy 后端域名配置
    use_backend caddy_servers_443 if { req_ssl_sni -i www.2345.com }
    use_backend caddy_servers_443 if { req_ssl_sni -i 2345.com }
    #use_backend caddy_servers_443 if { req_ssl_sni -i www.example5.com }
    #use_backend caddy_servers_443 if { req_ssl_sni -i www.example6.com }
    
    # 默认后端（处理无法匹配的域名，如直接IP访问等）
    default_backend nginx_servers_443

# =============================================================================
# 后端配置 - Nginx 服务器 (仅443端口)
# =============================================================================
backend nginx_servers_443
    mode tcp    
    # 主 Nginx 服务器
    server nginx1_443 6.6.6.6:443 check inter 10s rise 2 fall 3 send-proxy
    
    # 备用 Nginx 服务器（可选）
    # server nginx2_443 8.8.8.8:443 check inter 10s rise 2 fall 3 send-proxy backup
    
    # 如果后端不支持 send-proxy，请移除该参数

# =============================================================================
# 后端配置 - Caddy 服务器 (仅443端口)
# =============================================================================
backend caddy_servers_443
    mode tcp
    # 主 Caddy 服务器
    server caddy1_443 9.9.9.9:443 check inter 10s rise 2 fall 3
    
    # 备用 Caddy 服务器（可选）
    # server caddy2_443 9.9.9.9:443 check inter 10s rise 2 fall 3 backup
   
# =============================================================================
# 统计页面（可选）
# =============================================================================
listen stats
    bind *:8404
    mode http
    stats enable
    stats uri /stats
    stats refresh 30s
    stats admin if TRUE
    # 建议设置认证
    #stats auth admin:your_password_here

# =============================================================================
# 使用说明：
# 1. 将域名替换为你的实际域名
# 2. 将IP地址替换为实际的后端服务器IP
# 3. 后端服务器需要配置SSL证书
# 4. 访问 http://服务器IP:8404/stats 查看状态
# ==========================================================================

防攻击（可选）

添加以下代码

...

frontend tcp_front_443
    bind *:443
    mode tcp
    option tcplog
    rate-limit sessions 15000

    # 限流配置 - 针对你的规模优化
    stick-table type ip size 100k expire 30m store conn_cur,conn_rate(10s)
    tcp-request connection track-sc1 src
    
    
    # 白名单配置 - 转发IP豁免
    acl forwarding_ips src 3.3.3.3 6.6.6.6
    acl internal_ips src 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
    
    # 白名单IP直接放行
    tcp-request connection accept if forwarding_ips
    tcp-request connection accept if internal_ips


    # 单IP限制 - 根据实际情况调整
    tcp-request connection reject if { src_conn_cur ge 200 }      # 单IP最多200个并发
    tcp-request connection reject if { src_conn_rate gt 100 }      # 10秒内最多100个新连接
	

    # SSL SNI 检查配置
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    
    ...

caddy配置

格式规范的警告，使用以下命令修复

caddy fmt --overwrite /etc/caddy/Caddyfile

示例

(common_config) {
	tls {
		protocols tls1.2 tls1.3
	}
	header {
		Permissions-Policy interest-cohort=()
		Strict-Transport-Security max-age=31536000;
		X-Content-Type-Options nosniff
		Referrer-Policy strict-origin-when-cross-origin
		X-XSS-Protection "1; mode=block"
		-Via
		-Alt-Svc
		-Server
	}
}
2345.com {
	redir https://www.2345.com{uri} permanent
}
www.2345.com {
	import common_config
	reverse_proxy 6.6.6.6:80
}
123.com {
	redir https://www.123.com{uri} permanent
}
www.123.com {
	import common_config
	reverse_proxy 6.6.6.6:80
}

caddy-反代CF

准备工作，以1234.kkk.eu.org作为回源域名为例子

1234.kkk.eu.org 绑定到后端站点。
1234.kkk.eu.org解析到后端服务器 IP 地址。
开启 CDN（小云朵）
设置为灵活模式

示例

# Caddy 多域名配置

(common) {
	tls {
		protocols tls1.2 tls1.3
	}
	header {
		-Via
		-Alt-Svc
		-Server
	}
}

(proxy) {
	header_up Host {upstream_hostport}
	header_up X-Real-IP {remote}
}

1234.com {
	redir https://www.1234.com{uri} permanent
}

www.1234.com {
	import common
	reverse_proxy https://1234.kkk.eu.org {
		import proxy
	}
}

4567.com {
	redir https://www.4567.com{uri} permanent
}

www.4567.com {
	import common
	reverse_proxy https://4567.kkk.eu.org {
		import proxy
	}
}

http://789.cc {
	redir http://www.789.cc{uri} permanent
}

http://www.789.cc {
	header {
		-Via
		-Alt-Svc
		-Server
	}
	reverse_proxy https://789.kkk.eu.org {
		import proxy
	}
}