acme.sh + Caddy 完全指南 🚀
🌐 现代化的 Web 服务器与自动化 SSL 证书管理
📋 目录导航
🎯 快速开始
🌟 一站式安装脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
#!/bin/bash
# 🚀 Caddy + acme.sh 快速部署脚本
echo "开始安装 Caddy 和 acme.sh..."
# 创建目录
sudo mkdir -p /usr/local/caddy/{ssl,conf.d} /var/www/html
sudo chmod -R 755 /usr/local/caddy /var/www/html
# 下载 Caddy
cd /usr/local/caddy
wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddyserver%2Fcaddy/v2"
chmod +x caddy
# 安装 acme.sh
curl https://get.acme.sh | sh -s email=meimolihan@live.com
source ~/.bashrc
echo "安装完成!"
|
📦 Caddy 安装配置
🐧 安装 Caddy
1
2
3
4
5
6
7
8
9
10
11
12
|
# 创建安装目录
sudo mkdir -p /usr/local/caddy
cd /usr/local/caddy
# 下载 Caddy(包含常用模块)
wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddyserver%2Fcaddy/v2&p=github.com%2Fcaddyserver%2Fwebdav"
# 设置执行权限
chmod +x caddy
# 验证安装
./caddy version
|
🔧 基本管理命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
# 查看版本
./caddy version
# 列出已安装模块
./caddy list-modules
# 验证配置文件
./caddy validate
# 格式化配置文件
./caddy fmt --overwrite
# 重新加载配置
./caddy reload
# 启动 Caddy
./caddy start
# 停止 Caddy
./caddy stop
# 运行 Caddy(前台)
./caddy run
|
📁 目录结构
1
2
3
4
5
6
7
8
|
/usr/local/caddy/
├── caddy # Caddy 二进制文件
├── Caddyfile # 主配置文件
├── ssl/ # SSL 证书目录
│ ├── full_chain.pem
│ └── private.key
└── conf.d/ # 子配置文件目录
└── *.conf # 各个服务的配置文件
|
🚀 开机自启动
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# 创建启动脚本
sudo tee /etc/systemd/system/caddy.service > /dev/null <<'EOF'
[Unit]
Description=Caddy Web Server
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/caddy
ExecStart=/usr/local/caddy/caddy run --config /usr/local/caddy/Caddyfile
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
# 启用并启动服务
sudo systemctl daemon-reload
sudo systemctl enable caddy
sudo systemctl start caddy
|
🔐 SSL 证书管理
📦 安装 acme.sh
1
2
3
4
5
6
7
8
9
10
11
|
# 安装 acme.sh
curl https://get.acme.sh | sh -s email=meimolihan@live.com
# 或者使用国内镜像
curl https://gitcode.net/cert/cn-acme.sh/-/raw/master/install.sh?inline=false | sh -s email=meimolihan@live.com
# 重新加载配置
source ~/.bashrc
# 验证安装
acme.sh --version
|
🌐 Cloudflare DNS 验证
1
2
3
4
5
6
7
8
9
10
11
12
|
# 设置 Cloudflare API Token
export CF_Token="XMzEDoVjTvJJuzbjn0GO2RMxOfbKN5X369qUqvFT"
export CF_Zone_ID="382fc112abf99c7994ceaedd4844a243"
# 设置默认 CA
acme.sh --set-default-ca --server letsencrypt
# 申请泛域名证书
acme.sh --issue --dns dns_cf \
-d "meimolihan.eu.org" \
-d "*.meimolihan.eu.org" \
--keylength ec-256
|
📁 证书安装
1
2
3
4
5
|
# 安装证书到 Caddy
acme.sh --install-cert -d meimolihan.eu.org \
--key-file /usr/local/caddy/ssl/private.key \
--fullchain-file /usr/local/caddy/ssl/full_chain.pem \
--reloadcmd "cd /usr/local/caddy && ./caddy reload"
|
🔄 证书维护
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# 查看证书列表
acme.sh --list
# 查看证书信息
acme.sh --info -d meimolihan.eu.org
# 手动续签
acme.sh --renew -d meimolihan.eu.org --force
# 设置自动更新
acme.sh --upgrade --auto-upgrade
# 撤销证书
acme.sh --revoke -d meimolihan.eu.org
acme.sh --remove -d meimolihan.eu.org
|
⏰ 自动续签配置
1
2
3
4
5
|
# 添加计划任务
(crontab -l; echo '10 20 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null') | crontab -
# 验证计划任务
crontab -l | grep acme
|
🔄 反向代理配置
🎯 主配置文件
1
2
3
4
5
6
7
8
|
# /usr/local/caddy/Caddyfile
{
http_port 86
https_port 6663
order reverse_proxy before file_server
}
import /usr/local/caddy/conf.d/*.conf
|
🌐 反向代理示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# /usr/local/caddy/conf.d/proxy.conf
# PVE 管理界面
https://pve.meimolihan.eu.org:6663 {
encode gzip
tls /usr/local/caddy/ssl/full_chain.pem /usr/local/caddy/ssl/private.key
reverse_proxy https://10.10.10.254:8006 {
transport http {
tls_insecure_skip_verify
}
header_up Host {http.reverse_proxy.upstream.hostport}
}
# 错误处理
handle_errors {
rewrite * /50x.html
root * /var/www/html
file_server
}
}
# WebDAV 文件服务
https://file.meimolihan.eu.org:6663 {
root * /mnt
encode gzip
# Basic 认证
basic_auth {
admin $2a$14$yZXju.olCFqnybbcXmOfyuA64uPlejIBQVNgd9e7epWJrnB/aT57K
}
tls /usr/local/caddy/ssl/full_chain.pem /usr/local/caddy/ssl/private.key
route {
rewrite /webdav /webdav/
webdav /webdav/* {
prefix /webdav
}
file_server browse
}
}
|
🛡️ 安全头部配置
1
2
3
4
5
6
7
8
9
10
11
12
|
# 安全增强配置
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "fullscreen=(self)"
}
# 隐藏服务器信息
server_tokens off
|
📊 负载均衡配置
1
2
3
4
5
6
7
8
9
|
# 负载均衡示例
https://api.example.com:6663 {
reverse_proxy {
to server1:8080 server2:8080 server3:8080
lb_policy round_robin
health_uri /health
health_interval 30s
}
}
|
⚡ 性能优化
🚀 Caddy 性能调优
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# 全局性能配置
{
# 连接限制
servers {
max_connections 1000
}
# 缓冲区大小
buffers {
read 4096
write 4096
}
# 超时设置
timeouts {
read 30s
write 30s
idle 60s
}
}
|
📦 压缩和缓存
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# Gzip 压缩
encode gzip
# 静态资源缓存
header /assets/* {
Cache-Control "public, max-age=31536000"
}
# 代理缓存
reverse_proxy {
@static {
path *.css *.js *.png *.jpg *.jpeg *.gif *.ico *.svg *.woff *.woff2
}
header @static Cache-Control "public, max-age=31536000"
}
|
🔍 监控和日志
1
2
3
4
5
6
7
8
|
# 查看 Caddy 日志
journalctl -u caddy -f
# 实时监控连接数
watch -n 1 "netstat -an | grep :6663 | wc -l"
# 性能测试
ab -n 1000 -c 100 https://pve.meimolihan.eu.org:6663/
|
🔧 维护管理
📋 备份和恢复
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#!/bin/bash
# backup-caddy.sh
BACKUP_DIR="/backup/caddy/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# 备份配置和证书
cp -r /usr/local/caddy $BACKUP_DIR/
cp -r /var/www/html $BACKUP_DIR/html/
# 创建压缩包
tar -czf $BACKUP_DIR/caddy-backup.tar.gz $BACKUP_DIR
echo "备份完成: $BACKUP_DIR/caddy-backup.tar.gz"
|
🛠️ 故障排除
1
2
3
4
5
6
7
8
9
10
11
12
|
# 检查配置语法
cd /usr/local/caddy && ./caddy validate
# 调试模式运行
cd /usr/local/caddy && ./caddy run --debug
# 检查证书状态
openssl x509 -in /usr/local/caddy/ssl/full_chain.pem -noout -dates
# 检查端口占用
sudo lsof -i :6663
sudo netstat -tulnp | grep :6663
|
🔄 更新和维护
1
2
3
4
5
6
7
8
9
10
11
12
|
# 更新 Caddy
cd /usr/local/caddy
wget -O caddy.new "https://caddyserver.com/api/download?os=linux&arch=amd64"
mv caddy.new caddy
chmod +x caddy
./caddy reload
# 更新 acme.sh
acme.sh --upgrade
# 清理旧日志
find /var/log -name "caddy*" -mtime +30 -delete
|
💡 最佳实践
🛡️ 安全建议
1
2
3
4
5
6
7
8
9
10
11
12
|
# 定期更新软件
cd /usr/local/caddy && wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64"
acme.sh --upgrade
# 文件权限设置
chmod 755 /usr/local/caddy
chmod 600 /usr/local/caddy/ssl/private.key
chmod 644 /usr/local/caddy/ssl/full_chain.pem
# 防火墙配置
ufw allow 6663/tcp comment 'Caddy HTTPS'
ufw allow 86/tcp comment 'Caddy HTTP'
|
📊 监控告警
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#!/bin/bash
# monitor-caddy.sh
# 检查服务状态
if ! systemctl is-active --quiet caddy; then
echo "Caddy 服务异常" | mail -s "Caddy 服务告警" admin@example.com
systemctl restart caddy
fi
# 检查证书过期
EXPIRY_DAYS=$(openssl x509 -in /usr/local/caddy/ssl/full_chain.pem -checkend 864000 | grep -c "will expire")
if [ $EXPIRY_DAYS -eq 1 ]; then
echo "SSL 证书即将过期" | mail -s "证书告警" admin@example.com
fi
|
🔧 自动化脚本
1
2
3
4
5
6
7
8
9
10
11
|
#!/bin/bash
# renew-certificates.sh
# 续签证书
acme.sh --renew-all --force
# 重载 Caddy
cd /usr/local/caddy && ./caddy reload
# 记录日志
echo "$(date): 证书续签完成" >> /var/log/caddy-renew.log
|
📝 文档和资源
🎯 提示: 建议在生产环境部署前充分测试所有配置。定期检查日志和监控状态,确保服务稳定运行。
🚀 扩展功能:
- 🔄 多服务器负载均衡
- 🌐 CDN 集成
- 📊 访问日志分析
- 🛡️ WAF 防火墙
- 📱 移动端优化
📞 紧急恢复:
1
2
3
4
5
6
7
8
9
|
# 服务异常时重启
systemctl restart caddy
# 证书问题重新申请
acme.sh --renew -d meimolihan.eu.org --force
# 配置回滚
cp /backup/caddy/Caddyfile /usr/local/caddy/
cd /usr/local/caddy && ./caddy reload
|
