安装
Debian、Ubuntu、Raspbian,直接复制全部命令到终端执行
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list > /dev/null && \
sudo apt update && \
sudo apt install -y caddy && \
caddy version
反代示例
配置文件在 /etc/caddy/Caddyfile ,更改完配置 systemctl start caddy 即可。
反向代理本地ipv4
domain.com {
encode {
zstd
gzip 3
minimum_length 1000 # 最小压缩大小
}
reverse_proxy 127.0.0.1:80 {
transport http {
dial_timeout 2s
keepalive 30s
keepalive_idle_conns 100
max_conns_per_host 200
}
# 透传真实客户端 IP
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
# header_up X-Forwarded-Proto {http.request.scheme}
# 透传真实客户端 IP(适用于 Cloudflare)
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Proto {scheme}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # 强制 HTTPS
X-XSS-Protection "0" # 禁用浏览器 XSS 过滤器
X-Frame-Options "DENY" # 禁止 iframe 嵌套
X-Content-Type-Options "nosniff" # 禁止 MIME 类型猜测
Referrer-Policy "strict-origin-when-cross-origin" # 限制 Referer 泄露
Permissions-Policy "geolocation=(), microphone=(), camera=()" # 禁止隐私权限
# X-Robots-Tag "noindex, nofollow" # 阻止搜索引擎建立索引(可选)
-Server # 移除 Server 响应头
-X-Powered-By # 移除 X-Powered-By
-Last-Modified # 移除 Last-Modified
-Via # 移除 Via
defer # 延迟头部发送(可提升性能)
}
# 屏蔽恶意 IP 段
@blockedips remote_ip \
66.132.159.0/24 \
162.142.125.0/24 \
167.94.138.0/24 \
167.94.145.0/24 \
167.94.146.0/24 \
167.248.133.0/24 \
199.45.154.0/24 \
199.45.155.0/24 \
206.168.34.0/24 \
206.168.35.0/24 \
2602:80d:1000:b0cc:e::/80 \
2620:96:e000:b0cc:e::/80 \
2602:80d:1003::/112 \
2602:80d:1004::/12
handle @blockedips {
respond "Your IP has been blocked." 403 {
close
}
}
# 屏蔽恶意爬虫 UA
@badbots {
header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
}
handle @badbots {
respond "Access for bad crawlers denied" 403 {
close
}
}
# 静态资源缓存(7 天)
@images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico|bmp|avif|icon)$
header @images {
Cache-Control "public, max-age=2592000, immutable"
}
@static path_regexp \.(css|js|mjs|map|woff2?|ttf|otf|eot|wasm)$
header @static {
Cache-Control "public, max-age=2592000, immutable"
}
# 日志配置
log {
level INFO
output file /var/log/caddy/caddy-web.log {
roll_size 10MB
roll_keep 10
}
}
}
反向代理本地ipv6
domain.com {
encode gzip
reverse_proxy {
to [::1]:80
# 透传真实客户端 IP
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
# header_up X-Forwarded-Proto {http.request.scheme}
# 透传真实客户端 IP(适用于 Cloudflare)
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Proto {scheme}
}
header {
# 启用 HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# 禁用 cross-site filter (XSS)
X-XSS-Protection "0"
# 禁止在框架内呈现网站 (clickjacking protection)
X-Frame-Options "DENY"
# 阻止搜索引擎建立索引(可选)
# X-Robots-Tag "noindex, nofollow"
# 禁止嗅探 X-Content-Type-Options
X-Content-Type-Options "nosniff"
# 控制 Referer 头部的隐私策略
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=()"
# 服务器名称移除
-Server
# 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
-X-Powered-By
# 移除 Last-Modified,因为 etag 相同并且同样有效
-Last-Modified
-Via
defer
}
# 屏蔽 IP 段
@blockedips remote_ip \
66.132.159.0/24 \
162.142.125.0/24 \
167.94.138.0/24 \
167.94.145.0/24 \
167.94.146.0/24 \
167.248.133.0/24 \
199.45.154.0/24 \
199.45.155.0/24 \
206.168.34.0/24 \
206.168.35.0/24 \
2602:80d:1000:b0cc:e::/80 \
2620:96:e000:b0cc:e::/80 \
2602:80d:1003::/112 \
2602:80d:1004::/112
handle @blockedips {
respond "Your IP has been blocked." 403 {
close
}
}
# 屏蔽扫描器/爬虫 UA
@badbots {
header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
}
handle @badbots {
respond "Access for bad crawlers denied" 403 {
close
}
}
# 开启缓存
@images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
header @images {
Cache-Control "public, max-age=86400"
}
@static path_regexp \.(css|js|woff2|woff|ttf)$
header @static {
Cache-Control "public, max-age=86400"
}
log {
level INFO
output file /var/log/caddy/caddy-web.log {
roll_size 10MB
roll_keep 10
}
}
}
代理PHP
domain.com {
encode zstd gzip
root * /var/www/web
header {
# 启用 HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# 禁用 cross-site filter (XSS)
X-XSS-Protection "0"
# 禁止在框架内呈现网站 (clickjacking protection)
X-Frame-Options "DENY"
# 阻止搜索引擎建立索引(可选)
# X-Robots-Tag "noindex, nofollow"
# 禁止嗅探 X-Content-Type-Options
X-Content-Type-Options "nosniff"
# 控制 Referer 头部的隐私策略
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=()"
# 服务器名称移除
-Server
# 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
-X-Powered-By
# 移除 Last-Modified,因为 etag 相同并且同样有效
-Last-Modified
-Via
defer
}
# 文件服务器
file_server
# PHP FastCGI 代理
php_fastcgi unix//run/php/php7.4-fpm.sock {
# 透传真实客户端 IP
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
# header_up X-Forwarded-Proto {http.request.scheme}
# 透传真实客户端 IP(适用于 Cloudflare)
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Proto {scheme}
}
# 屏蔽 IP 段
@blockedips remote_ip \
66.132.159.0/24 \
162.142.125.0/24 \
167.94.138.0/24 \
167.94.145.0/24 \
167.94.146.0/24 \
167.248.133.0/24 \
199.45.154.0/24 \
199.45.155.0/24 \
206.168.34.0/24 \
206.168.35.0/24 \
2602:80d:1000:b0cc:e::/80 \
2620:96:e000:b0cc:e::/80 \
2602:80d:1003::/112 \
2602:80d:1004::/112
handle @blockedips {
respond "Your IP has been blocked." 403 {
close
}
}
# 屏蔽扫描器/爬虫 UA
@badbots {
header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
}
handle @badbots {
respond "Access for bad crawlers denied" 403 {
close
}
}
# 开启缓存
@images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
header @images {
Cache-Control "public, max-age=86400"
}
@static path_regexp \.(css|js|woff2|woff|ttf)$
header @static {
Cache-Control "public, max-age=86400"
}
log {
level INFO
output file /var/log/caddy/caddy-web.log {
roll_size 10MB
roll_keep 10
}
}
}
代理静态文件
domain.com {
root * /var/www/web
file_server
encode gzip
header {
# 启用 HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# 禁用 cross-site filter (XSS)
X-XSS-Protection "0"
# 禁止在框架内呈现网站 (clickjacking protection)
X-Frame-Options "DENY"
# 阻止搜索引擎建立索引(可选)
# X-Robots-Tag "noindex, nofollow"
# 禁止嗅探 X-Content-Type-Options
X-Content-Type-Options "nosniff"
# 控制 Referer 头部的隐私策略
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=()"
# 服务器名称移除
-Server
# 移除 X-Powered-By,虽然这不应该是一个问题,但最好移除
-X-Powered-By
# 移除 Last-Modified,因为 etag 相同并且同样有效
-Last-Modified
-Via
defer
}
# 屏蔽 IP 段
@blockedips remote_ip \
66.132.159.0/24 \
162.142.125.0/24 \
167.94.138.0/24 \
167.94.145.0/24 \
167.94.146.0/24 \
167.248.133.0/24 \
199.45.154.0/24 \
199.45.155.0/24 \
206.168.34.0/24 \
206.168.35.0/24 \
2602:80d:1000:b0cc:e::/80 \
2620:96:e000:b0cc:e::/80 \
2602:80d:1003::/112 \
2602:80d:1004::/112
handle @blockedips {
respond "Your IP has been blocked." 403 {
close
}
}
# 屏蔽扫描器/爬虫 UA
@badbots {
header_regexp User-Agent "(?i)censys|shodan|zoomeye|ahrefs|mj12|semrush|dotbot|libwww-perl|nmap|masscan|dirbuster|sqlmap|nikto|wpscan|whatweb|wget|fetch|httpclient|crawler|scrapy|httpx|netcraft|zgrab|nessus|openvas"
}
handle @badbots {
respond "Access for bad crawlers denied" 403 {
close
}
}
# 开启缓存
@images path_regexp \.(jpg|jpeg|png|gif|webp|svg|ico)$
header @images {
Cache-Control "public, max-age=86400"
}
@static path_regexp \.(css|js|woff2|woff|ttf)$
header @static {
Cache-Control "public, max-age=86400"
}
log {
level INFO
output file /var/log/caddy/caddy-web.log {
roll_size 10MB
roll_keep 10
}
}
}