Skip to content

Caddy Reverse-proxy for Aleph-VM

A reverse-proxy is required for production use. It allows:

  • A different domain name for each VM function
  • Secure connections using HTTPS
  • Load balancing between multiple servers

Using a different domain name for each VM function is important when running web applications, both for security and usability purposes.

The VM Supervisor supports using domains in the form https://identifer.vm.yourdomain.org, where identifier is the identifier/hash of the message describing the VM function and yourdomain.org represents your domain name.

1. Wildcard certificates

A wildcard certificate is recommended to allow any subdomain of your domain to work.

You can create one using Let's Encrypt and Certbot with the following instructions.

sudo apt install -y certbot

certbot certonly --manual --email email@yourdomain.org --preferred-challenges dns \
  --server https://acme-v02.api.letsencrypt.org/directory --agree-tos \
  -d 'vm.yourdomain.org,*.vm.yourdomain.org'

2. Caddy Server

In this documentation, we will install the modern Caddy reverse-proxy.

Replace vm.yourdomain.org with your domain of choice.

To install on Debian/Ubuntu, according to the official instructions:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Then give Caddy access to the certificates generated by Certbot:

chmod 750 /etc/letsencrypt/live/
chmod 750 /etc/letsencrypt/archive/
chmod 640 /etc/letsencrypt/archive/vm.yourdomain.org/privkey1.pem
chgrp -R caddy /etc/letsencrypt/archive/
chgrp -R caddy /etc/letsencrypt/live/

Configure Caddy:

cat >/etc/caddy/Caddyfile <<EOL

vm.yourdomain.org:443 {
    tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
    reverse_proxy http://127.0.0.1:4020 {
        # Forward Host header to the backend
        header_up Host {host}
    }
}

*.vm.yourdomain.org:443 {
    tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
    reverse_proxy http://127.0.0.1:4020 {
        # Forward Host header to the backend
        header_up Host {host}
    }
}
EOL

Optionally, you can allow users to host their website using their own domains using the following configuration. Be careful about rate limits if you enable on_demand TLS, see the Caddy documentation on On-Demand TLS.

cat >/etc/caddy/Caddyfile <<EOL
{
    on_demand_tls {
        interval 60s
        burst    5
    }
}


vm.yourdomain.org:443 {
    tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
    reverse_proxy http://127.0.0.1:4020 {
        header_up Host {host}
    }
}

*.vm.yourdomain.org:443 {
    tls /etc/letsencrypt/live/vm.yourdomain.org/fullchain.pem /etc/letsencrypt/live/vm.yourdomain.org/privkey.pem
    reverse_proxy http://127.0.0.1:4020 {
        # Forward Host header to the backend
        header_up Host {host}
    }
}

*:443 {
    tls {
        on_demand
    }
    reverse_proxy http://127.0.0.1:4020 {
        # Forward Host header to the backend
        header_up Host {host}
    }
}
EOL

Finally, restart Caddy: ```shell sudo systemctl restart caddy