acme.sh + Caddy 完全指南 🚀

🌐 现代化的 Web 服务器与自动化 SSL 证书管理

---

📋 目录导航

• 🎯 快速开始
• 📦 Caddy 安装配置
• 🔐 SSL 证书管理
• 🔄 反向代理配置
• ⚡ 性能优化
• 🔧 维护管理
• 💡 最佳实践

---

🎯 快速开始

🌟 一站式安装脚本

#!/bin/bash
# 🚀 Caddy + acme.sh 快速部署脚本

echo "开始安装 Caddy 和 acme.sh..."

# 创建目录
sudo mkdir -p /usr/local/caddy/{ssl,conf.d} /var/www/html
sudo chmod -R 755 /usr/local/caddy /var/www/html

# 下载 Caddy
cd /usr/local/caddy
wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddyserver%2Fcaddy/v2"
chmod +x caddy

# 安装 acme.sh
curl https://get.acme.sh | sh -s email=meimolihan@live.com
source ~/.bashrc

echo "安装完成！"

---

📦 Caddy 安装配置

🐧 安装 Caddy

# 创建安装目录
sudo mkdir -p /usr/local/caddy
cd /usr/local/caddy

# 下载 Caddy（包含常用模块）
wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddyserver%2Fcaddy/v2&p=github.com%2Fcaddyserver%2Fwebdav"

# 设置执行权限
chmod +x caddy

# 验证安装
./caddy version

🔧 基本管理命令

# 查看版本
./caddy version

# 列出已安装模块
./caddy list-modules

# 验证配置文件
./caddy validate

# 格式化配置文件
./caddy fmt --overwrite

# 重新加载配置
./caddy reload

# 启动 Caddy
./caddy start

# 停止 Caddy
./caddy stop

# 运行 Caddy（前台）
./caddy run

📁 目录结构

/usr/local/caddy/
├── caddy           # Caddy 二进制文件
├── Caddyfile       # 主配置文件
├── ssl/            # SSL 证书目录
│   ├── full_chain.pem
│   └── private.key
└── conf.d/         # 子配置文件目录
    └── *.conf      # 各个服务的配置文件

🚀 开机自启动

# 创建启动脚本
sudo tee /etc/systemd/system/caddy.service > /dev/null <<'EOF'
[Unit]
Description=Caddy Web Server
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/caddy
ExecStart=/usr/local/caddy/caddy run --config /usr/local/caddy/Caddyfile
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

# 启用并启动服务
sudo systemctl daemon-reload
sudo systemctl enable caddy
sudo systemctl start caddy

---

🔐 SSL 证书管理

📦 安装 acme.sh

# 安装 acme.sh
curl https://get.acme.sh | sh -s email=meimolihan@live.com

# 或者使用国内镜像
curl https://gitcode.net/cert/cn-acme.sh/-/raw/master/install.sh?inline=false | sh -s email=meimolihan@live.com

# 重新加载配置
source ~/.bashrc

# 验证安装
acme.sh --version

🌐 Cloudflare DNS 验证

# 设置 Cloudflare API Token
export CF_Token="XMzEDoVjTvJJuzbjn0GO2RMxOfbKN5X369qUqvFT"
export CF_Zone_ID="382fc112abf99c7994ceaedd4844a243"

# 设置默认 CA
acme.sh --set-default-ca --server letsencrypt

# 申请泛域名证书
acme.sh --issue --dns dns_cf \
  -d "meimolihan.eu.org" \
  -d "*.meimolihan.eu.org" \
  --keylength ec-256

📁 证书安装

# 安装证书到 Caddy
acme.sh --install-cert -d meimolihan.eu.org \
  --key-file /usr/local/caddy/ssl/private.key \
  --fullchain-file /usr/local/caddy/ssl/full_chain.pem \
  --reloadcmd "cd /usr/local/caddy && ./caddy reload"

🔄 证书维护

# 查看证书列表
acme.sh --list

# 查看证书信息
acme.sh --info -d meimolihan.eu.org

# 手动续签
acme.sh --renew -d meimolihan.eu.org --force

# 设置自动更新
acme.sh --upgrade --auto-upgrade

# 撤销证书
acme.sh --revoke -d meimolihan.eu.org
acme.sh --remove -d meimolihan.eu.org

⏰ 自动续签配置

# 添加计划任务
(crontab -l; echo '10 20 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null') | crontab -

# 验证计划任务
crontab -l | grep acme

---

🔄 反向代理配置

🎯 主配置文件

# /usr/local/caddy/Caddyfile
{
    http_port 86
    https_port 6663
    order reverse_proxy before file_server
}

import /usr/local/caddy/conf.d/*.conf

🌐 反向代理示例

# /usr/local/caddy/conf.d/proxy.conf
# PVE 管理界面
https://pve.meimolihan.eu.org:6663 {
    encode gzip
    tls /usr/local/caddy/ssl/full_chain.pem /usr/local/caddy/ssl/private.key
    
    reverse_proxy https://10.10.10.254:8006 {
        transport http {
            tls_insecure_skip_verify
        }
        header_up Host {http.reverse_proxy.upstream.hostport}
    }
    
    # 错误处理
    handle_errors {
        rewrite * /50x.html
        root * /var/www/html
        file_server
    }
}

# WebDAV 文件服务
https://file.meimolihan.eu.org:6663 {
    root * /mnt
    encode gzip
    
    # Basic 认证
    basic_auth {
        admin $2a$14$yZXju.olCFqnybbcXmOfyuA64uPlejIBQVNgd9e7epWJrnB/aT57K
    }
    
    tls /usr/local/caddy/ssl/full_chain.pem /usr/local/caddy/ssl/private.key
    
    route {
        rewrite /webdav /webdav/
        webdav /webdav/* {
            prefix /webdav
        }
        file_server browse
    }
}

🛡️ 安全头部配置

# 安全增强配置
header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    X-XSS-Protection "1; mode=block"
    Referrer-Policy "strict-origin-when-cross-origin"
    Permissions-Policy "fullscreen=(self)"
}

# 隐藏服务器信息
server_tokens off

📊 负载均衡配置

# 负载均衡示例
https://api.example.com:6663 {
    reverse_proxy {
        to server1:8080 server2:8080 server3:8080
        lb_policy round_robin
        health_uri /health
        health_interval 30s
    }
}

---

⚡ 性能优化

🚀 Caddy 性能调优

# 全局性能配置
{
    # 连接限制
    servers {
        max_connections 1000
    }
    
    # 缓冲区大小
    buffers {
        read 4096
        write 4096
    }
    
    # 超时设置
    timeouts {
        read 30s
        write 30s
        idle 60s
    }
}

📦 压缩和缓存

# Gzip 压缩
encode gzip

# 静态资源缓存
header /assets/* {
    Cache-Control "public, max-age=31536000"
}

# 代理缓存
reverse_proxy {
    @static {
        path *.css *.js *.png *.jpg *.jpeg *.gif *.ico *.svg *.woff *.woff2
    }
    header @static Cache-Control "public, max-age=31536000"
}

🔍 监控和日志

# 查看 Caddy 日志
journalctl -u caddy -f

# 实时监控连接数
watch -n 1 "netstat -an | grep :6663 | wc -l"

# 性能测试
ab -n 1000 -c 100 https://pve.meimolihan.eu.org:6663/

---

🔧 维护管理

📋 备份和恢复

#!/bin/bash
# backup-caddy.sh

BACKUP_DIR="/backup/caddy/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# 备份配置和证书
cp -r /usr/local/caddy $BACKUP_DIR/
cp -r /var/www/html $BACKUP_DIR/html/

# 创建压缩包
tar -czf $BACKUP_DIR/caddy-backup.tar.gz $BACKUP_DIR

echo "备份完成: $BACKUP_DIR/caddy-backup.tar.gz"

🛠️ 故障排除

# 检查配置语法
cd /usr/local/caddy && ./caddy validate

# 调试模式运行
cd /usr/local/caddy && ./caddy run --debug

# 检查证书状态
openssl x509 -in /usr/local/caddy/ssl/full_chain.pem -noout -dates

# 检查端口占用
sudo lsof -i :6663
sudo netstat -tulnp | grep :6663

🔄 更新和维护

# 更新 Caddy
cd /usr/local/caddy
wget -O caddy.new "https://caddyserver.com/api/download?os=linux&arch=amd64"
mv caddy.new caddy
chmod +x caddy
./caddy reload

# 更新 acme.sh
acme.sh --upgrade

# 清理旧日志
find /var/log -name "caddy*" -mtime +30 -delete

---

💡 最佳实践

🛡️ 安全建议

# 定期更新软件
cd /usr/local/caddy && wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64"
acme.sh --upgrade

# 文件权限设置
chmod 755 /usr/local/caddy
chmod 600 /usr/local/caddy/ssl/private.key
chmod 644 /usr/local/caddy/ssl/full_chain.pem

# 防火墙配置
ufw allow 6663/tcp comment 'Caddy HTTPS'
ufw allow 86/tcp comment 'Caddy HTTP'

📊 监控告警

#!/bin/bash
# monitor-caddy.sh

# 检查服务状态
if ! systemctl is-active --quiet caddy; then
    echo "Caddy 服务异常" | mail -s "Caddy 服务告警" admin@example.com
    systemctl restart caddy
fi

# 检查证书过期
EXPIRY_DAYS=$(openssl x509 -in /usr/local/caddy/ssl/full_chain.pem -checkend 864000 | grep -c "will expire")
if [ $EXPIRY_DAYS -eq 1 ]; then
    echo "SSL 证书即将过期" | mail -s "证书告警" admin@example.com
fi

🔧 自动化脚本

#!/bin/bash
# renew-certificates.sh

# 续签证书
acme.sh --renew-all --force

# 重载 Caddy
cd /usr/local/caddy && ./caddy reload

# 记录日志
echo "$(date): 证书续签完成" >> /var/log/caddy-renew.log

📝 文档和资源

• 🌐 Caddy 官网: https://caddyserver.com/
• 📚 Caddy 文档: https://caddyserver.com/docs/
• 🔧 acme.sh 文档: https://github.com/acmesh-official/acme.sh/wiki
• 🛡️ SSL 配置生成器: https://ssl-config.mozilla.org/

---

🎯 提示: 建议在生产环境部署前充分测试所有配置。定期检查日志和监控状态，确保服务稳定运行。

🚀 扩展功能:

• 🔄 多服务器负载均衡
• 🌐 CDN 集成
• 📊 访问日志分析
• 🛡️ WAF 防火墙
• 📱 移动端优化

📞 紧急恢复:

# 服务异常时重启
systemctl restart caddy

# 证书问题重新申请
acme.sh --renew -d meimolihan.eu.org --force

# 配置回滚
cp /backup/caddy/Caddyfile /usr/local/caddy/
cd /usr/local/caddy && ./caddy reload