安装

Debian、Ubuntu、Raspbian,直接复制全部命令到终端执行

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list > /dev/null && \
sudo apt update && \
sudo apt install -y caddy && \
caddy version

反代示例

配置文件在 /etc/caddy/Caddyfile ,更改完配置 systemctl start caddy 即可。

反向代理本地ipv4

domain.com {
    encode {
        zstd 
        gzip 3
        minimum_length 1000  # 最小压缩大小
    }
 
    reverse_proxy 127.0.0.1:80 {
        transport http {
            dial_timeout 2s
            keepalive 30s
            keepalive_idle_conns 100
            max_conns_per_host 200
        }

        # 透传真实客户端 IP
        # header_up X-Real-IP {remote_host}
        # header_up X-Forwarded-For {remote_host}
        # header_up X-Forwarded-Proto {http.request.scheme}
 
        # 透传真实客户端 IP(适用于 Cloudflare)
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {scheme}
    }
 
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # 强制 HTTPS
        X-XSS-Protection "0"                            # 禁用浏览器 XSS 过滤器
        X-Frame-Options "DENY"                          # 禁止 iframe 嵌套
        X-Content-Type-Options "nosniff"                # 禁止 MIME 类型猜测
        Referrer-Policy "strict-origin-when-cross-origin"  # 限制 Referer 泄露
        Permissions-Policy "geolocation=(), microphone=(), camera=()"  # 禁止隐私权限
        # X-Robots-Tag "noindex, nofollow"               # 阻止搜索引擎建立索引(可选)
        -Server                                          # 移除 Server 响应头
        -X-Powered-By                                    # 移除 X-Powered-By
        -Last-Modified                                   # 移除 Last-Modified
        -Via                                             # 移除 Via
        defer                                            # 延迟头部发送(可提升性能)
    }
 
    # 屏蔽恶意 IP 段
    @blockedips remote_ip \
        66.132.159.0/24 \
        162.142.125.0/24 \
        167.94.138.0/24 \
        167.94.145.0/24 \
        167.94.146.0/24 \
        167.248.133.0/24 \
        199.45.154.0/24 \
        199.45.155.0/24 \
        206.168.34.0/24 \
        206.168.35.0/24 \
        2602:80d:1000:b0cc:e::/80 \
        2620:96:e000:b0cc:e::/80 \
        2602:80d:1003::/112 \
        2602:80d:1004::/12
 
    handle @blockedips {
        respond "Your IP has been blocked." 403 {
            close
        }
    }
 
    # 屏蔽恶意爬虫 UA
    @badbots {
        header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
    }
 
    handle @badbots {
        respond "Access for bad crawlers denied" 403 {
            close
        }
    }
 
    # 静态资源缓存(7 天)
    @images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico|bmp|avif|icon)$
    header @images {
        Cache-Control "public, max-age=2592000, immutable"
    }

    @static path_regexp \.(css|js|mjs|map|woff2?|ttf|otf|eot|wasm)$
    header @static {
        Cache-Control "public, max-age=2592000, immutable"
    }
 
    # 日志配置
    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

反向代理本地ipv6

domain.com {
    encode gzip
    reverse_proxy {
        to [::1]:80

        # 透传真实客户端 IP
        # header_up X-Real-IP {remote_host}
        # header_up X-Forwarded-For {remote_host}
        # header_up X-Forwarded-Proto {http.request.scheme}

        # 透传真实客户端 IP(适用于 Cloudflare)
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {scheme}
    }
    header {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引(可选)
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 控制 Referer 头部的隐私策略
        Referrer-Policy "strict-origin-when-cross-origin"
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
        -X-Powered-By
        # 移除 Last-Modified,因为 etag 相同并且同样有效
        -Last-Modified
        -Via
        defer
    }

    # 屏蔽 IP 段
    @blockedips remote_ip \
        66.132.159.0/24 \
        162.142.125.0/24 \
        167.94.138.0/24 \
        167.94.145.0/24 \
        167.94.146.0/24 \
        167.248.133.0/24 \
        199.45.154.0/24 \
        199.45.155.0/24 \
        206.168.34.0/24 \
        206.168.35.0/24 \
        2602:80d:1000:b0cc:e::/80 \
        2620:96:e000:b0cc:e::/80 \
        2602:80d:1003::/112 \
        2602:80d:1004::/112

    handle @blockedips {
        respond "Your IP has been blocked." 403 {
            close
        }
    }

    # 屏蔽扫描器/爬虫 UA
    @badbots {
        header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
    }

    handle @badbots {
        respond "Access for bad crawlers denied" 403 {
            close
        }
    }

    # 开启缓存
    @images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
    header @images {
        Cache-Control "public, max-age=86400"
    }

    @static path_regexp \.(css|js|woff2|woff|ttf)$
    header @static {
        Cache-Control "public, max-age=86400"
    }

    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

代理PHP

domain.com {
    encode zstd gzip
    root * /var/www/web 
    header {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引(可选)
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 控制 Referer 头部的隐私策略
        Referrer-Policy "strict-origin-when-cross-origin"
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
        -X-Powered-By
        # 移除 Last-Modified,因为 etag 相同并且同样有效
        -Last-Modified
        -Via
        defer
    }
    # 文件服务器
    file_server
  
    # PHP FastCGI 代理
    php_fastcgi unix//run/php/php7.4-fpm.sock {
        # 透传真实客户端 IP
        # header_up X-Real-IP {remote_host}
        # header_up X-Forwarded-For {remote_host}
        # header_up X-Forwarded-Proto {http.request.scheme}

        # 透传真实客户端 IP(适用于 Cloudflare)
        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header_up X-Forwarded-Proto {scheme}
    }

    # 屏蔽 IP 段
    @blockedips remote_ip \
        66.132.159.0/24 \
        162.142.125.0/24 \
        167.94.138.0/24 \
        167.94.145.0/24 \
        167.94.146.0/24 \
        167.248.133.0/24 \
        199.45.154.0/24 \
        199.45.155.0/24 \
        206.168.34.0/24 \
        206.168.35.0/24 \
        2602:80d:1000:b0cc:e::/80 \
        2620:96:e000:b0cc:e::/80 \
        2602:80d:1003::/112 \
        2602:80d:1004::/112

    handle @blockedips {
        respond "Your IP has been blocked." 403 {
            close
        }
    }

    # 屏蔽扫描器/爬虫 UA
    @badbots {
        header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
    }

    handle @badbots {
        respond "Access for bad crawlers denied" 403 {
            close
        }
    }

    # 开启缓存
    @images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
    header @images {
        Cache-Control "public, max-age=86400"
    }

    @static path_regexp \.(css|js|woff2|woff|ttf)$
    header @static {
        Cache-Control "public, max-age=86400"
    }

    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}

代理静态文件

domain.com {
    root * /var/www/web
    file_server
    encode gzip
    header {
        # 启用 HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # 禁用 cross-site filter (XSS)
        X-XSS-Protection "0"
        # 禁止在框架内呈现网站 (clickjacking protection)
        X-Frame-Options "DENY"
        # 阻止搜索引擎建立索引(可选)
        # X-Robots-Tag "noindex, nofollow"
        # 禁止嗅探 X-Content-Type-Options
        X-Content-Type-Options "nosniff"
        # 控制 Referer 头部的隐私策略
        Referrer-Policy "strict-origin-when-cross-origin"
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
        # 服务器名称移除
        -Server
        # 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
        -X-Powered-By
        # 移除 Last-Modified,因为 etag 相同并且同样有效
        -Last-Modified
        -Via
        defer
    }

    # 屏蔽 IP 段
    @blockedips remote_ip \
        66.132.159.0/24 \
        162.142.125.0/24 \
        167.94.138.0/24 \
        167.94.145.0/24 \
        167.94.146.0/24 \
        167.248.133.0/24 \
        199.45.154.0/24 \
        199.45.155.0/24 \
        206.168.34.0/24 \
        206.168.35.0/24 \
        2602:80d:1000:b0cc:e::/80 \
        2620:96:e000:b0cc:e::/80 \
        2602:80d:1003::/112 \
        2602:80d:1004::/112

    handle @blockedips {
        respond "Your IP has been blocked." 403 {
            close
        }
    }

    # 屏蔽扫描器/爬虫 UA
    @badbots {
        header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
    }

    handle @badbots {
        respond "Access for bad crawlers denied" 403 {
            close
        }
    }

    # 开启缓存
    @images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
    header @images {
        Cache-Control "public, max-age=86400"
    }

    @static path_regexp \.(css|js|woff2|woff|ttf)$
    header @static {
        Cache-Control "public, max-age=86400"
    }

    log {
        level INFO
        output file /var/log/caddy/caddy-web.log {
            roll_size 10MB
            roll_keep 10
        }
    }
}