cloudflare VS traefik

If you're using Cloudflare then you might need the Cloudflare module which is a little annoying because you need to rebuild the Caddy executable (or Docker image) to include it. I just set up a GitHub repo that uses GitHub Actions to build and publish a Docker image that includes the Caddy Docker Proxy and Cloudflare modules, but I haven't figured out how automatically update the image when a new version of Caddy is released so it's still a manual process for now.

if domain.xyz is already pointed to cloudflare's nameservers, you'll want to use the cloudflare dns plugin with caddy for a wildcard tls cert from letsencrypt.

I'm on Cloudflare now, so I build my own image based on this Docker image to use SSL from Cloudflare.

Anyways, my end goal is to use cloudflare aswell, because I see that then you can get a wildcard DNS record. Have you tried that? Are you using https://github.com/caddy-dns/cloudflare ? Did you have to build it yourself, or is it included in dockerhub image?

> First, what versions am I getting? Does using `2.5.1-builder` result in a customer built binary that's version `2.5.1`? The command usage [1] of the `xcaddy` command says it falls back to the `CADDY_VERSION` environment variable if it's not set explicitly. Since it's not set explicitly, I go looking for that variable in the Dockerfile [2].

Yeah - the default version it'll build with is the version embedded in the builder image, so in that case, v2.5.1. But really, you can just use always use the latest builder image and specify the version you want in the xcaddy command, i.e. 'xcaddy build v2.5.1 --with ', or any other git ref if not a version (cause we're using Go to build and you can use any git ref, like a commit hash or branch name if you want to try a WIP pull request).

We set it up with a good default so most users wouldn't need to ask that question, it should "just work" for them. But it's a valid question to ask.

> That's some templating language I'm not familiar with and I can't track down where the variable gets set, at least not quickly.

Yeah we're using Gomplate for generating the Dockerfiles for the official Docker Library builds, since we need to make builds for every CPU architecture, and even Windows docker images (I still have no idea why anyone would want those, but alas). Either way, that's an implementation detail of how we automate this stuff, doesn't matter to users.

> Now, what version of `caddy-dns/cloudflare` am I getting?

The latest, if you don't specify a version. The https://github.com/caddy-dns/cloudflare repo doesn't have tagged releases, so it'll just be the latest commit on the master branch. You can specify a specific commit like '--with github.com/caddy-dns/cloudflare@8ea1cff' for (as of this writing) the commit just before the latest.

> What other risks come along with building and maintaining my own custom image?

Honestly, none. Maybe problems with plugins not being compatible with eachother, but Caddy's plugin design means that should rarely happen, except if two plugins have the same module ID. But that's up to you to make sure you don't pick two plugins that try to do the same thing.

Because of the way Go builds work, they can always be cross-compiled. We don't use CGO, so builds of Caddy are completely static and have zero dependencies. There's really no risk that it doesn't build in a specific environment, or whatever.

> If I build a custom image, do I let other people I help with the odd tech thing use it or is all the effort for me only? I don't want to become the maintainer of a Docker image others rely on, so I can't even re-use any related config if I help others in the future since they won't have access to the needed image.

Up to you. But that's the exact reason we don't maintain builds with plugins ourselves. There's literally an infinite amount of combinations possible. Some have suggested like "caddy-lite" and "caddy-full" sort of setups where we ship just a few vetted plugins or "yolo give me all the plugins" but that's silly. We don't have the time or resources to vet all the plugins.

From your perspective it might seem like "duh, there should be an official build with Cloudflare", but really it's a pretty small percentage of users who need this.

> Also, a 4 line Docker file looks nice in terms of being simple, but explicitly declaring or even adding comments describing some of the things I pointed out above can save people a lot of time. Even comments with links to the relevant portions of the docs would be super useful.

(as I wrote in my other comment, the docs for this are on https://hub.docker.com/_/caddy)

> The desire for wildcard certificates is to keep things from being discoverable via CTLogs.

It's really trivial for someone to scan until they hit subdomains that return a successful response, if they really cared. This doesn't really protect from anything. Using wildcards for that is a bit of an antipattern.

For more, see: https://github.com/caddy-dns/cloudflare

As default it does need port 80 open to renew certificates, but you can use DNS challenge instead. https://github.com/caddy-dns/cloudflare

apparently "traffic" https://github.com/traefik/traefik/issues/795

Pronounced "traffic", Traefik is a modern HTTP reverse proxy and load balancer aimed at making deploying microservices easier. It integrates with your existing infrastructure components such as Docker, Kubernetes, and others, and configures itself automatically and dynamically. The latest version adds lots of new options and enhancements such as adding healthcheck options, support for custom headers, and more. Read the migration guide on how to update to the latest version which is now required due to breaking changes.

> I think etcd is basically a k8s only project now

I hate etcd with the best of them, but etcd is used in a lot more places than just kubernetes:

https://github.com/apache/apisix/blob/master/docs/en/latest/...

https://github.com/traefik/traefik#:~:text=Etcd,

https://github.com/zalando/patroni#patroni-a-template-for-po...

https://github.com/purpleidea/mgmt/tree/0.0.26/etcd (this one shows up on HN quite a bit)

https://github.com/sorintlab/stolon#features

It's actually one of the major reasons I wouldn't touch those projects

However, it's very unlikely that .NET developers will directly expose their Kestrel-based web apps to the internet. Typically, we use other popular web servers like Nginx, Traefik, and Caddy to act as a reverse-proxy in front of Kestrel for various reasons:

Not as good though. Case in point: https://github.com/traefik/traefik/issues/5472#issuecomment-... (that's just from this morning)

I'm speak objectively here. Of course, any built-in auto HTTPS that works (more or less) is better than none. Traefik uses an ACME library that was originally written for Caddy. After the original author left that project, Traefik team started maintaining it. Caddy's users' requirements exceeded what the library was capable of, but unfortunately there was friction in getting it to achieve our requirements. So I ended up writing a new ACME client library in Go and, together with upgrades in CertMagic (Caddy's auto-TLS lib), Caddy has the more flexible, robust, and capable auto-HTTPS functionality.

That is to say, not all auto-HTTPS functionalities are the same.

We'll use Traefik, an open source cloud native gateway that can plug into a Kubernetes cluster. It has the concept of "middleware" that can process API requests before passing them through to a backend. We can configuring a rate limit for all of our API endpoints by matching on the request path:

I did the same question here and here

Sadly there is currently no way of doing so. https://github.com/traefik/traefik/issues/6999