From 9201a588477ff366d7461638e6360bfb130becbe Mon Sep 17 00:00:00 2001
From: sanjay7178 <saisanjay7660@gmail.com>
Date: Sat, 4 Jan 2025 19:14:23 +0530
Subject: [PATCH] Add Caddy configuration for Mattermost with automated TLS
 management

---
 caddy/Caddyfile                  |  21 +++++
 docker-compose.caddy.yml         |  49 ++++++++++
 docs/caddy-support-mattermost.md | 157 +++++++++++++++++++++++++++++++
 env.example                      |   5 +
 4 files changed, 232 insertions(+)
 create mode 100644 caddy/Caddyfile
 create mode 100644 docker-compose.caddy.yml
 create mode 100644 docs/caddy-support-mattermost.md

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
new file mode 100644
index 0000000..1ff0e2a
--- /dev/null
+++ b/caddy/Caddyfile
@@ -0,0 +1,21 @@
+domain1.example.com {
+    reverse_proxy mattermost:8065
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        X-XSS-Protection "1; mode=block"
+    }
+}
+
+
+                                                                      
+domain2.example.com {
+    reverse_proxy mattermost:8065
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        X-XSS-Protection "1; mode=block"
+    }
+}
diff --git a/docker-compose.caddy.yml b/docker-compose.caddy.yml
new file mode 100644
index 0000000..b9b0679
--- /dev/null
+++ b/docker-compose.caddy.yml
@@ -0,0 +1,49 @@
+# This Docker Compose file sets up a multi-container application with Caddy and Mattermost services.
+# Version 2.4 of the Docker Compose file format is used.
+
+services:
+
+  # Caddy service configuration
+  caddy:
+    # Specifies that the Caddy service depends on the Mattermost service
+    depends_on:
+      - mattermost
+    # Sets the container name for the Caddy service
+    container_name: caddy-mattermost
+    # Uses the Caddy image with a tag specified by the CADDY_IMAGE_TAG environment variable
+    image: caddy:${CADDY_IMAGE_TAG}
+    # Sets the restart policy for the Caddy container, defined by the RESTART_POLICY environment variable
+    restart: ${RESTART_POLICY}
+    # Security options to disable new privileges
+    security_opt:
+      - no-new-privileges:true
+    # Limits the number of process IDs (PIDs) to 100
+    pids_limit: 100
+    # Sets the container file system to read-only mode
+    read_only: true
+    # Maps host ports to container ports for HTTP and HTTPS traffic
+    ports:
+      - ${HTTPS_PORT}:443
+      - ${HTTP_PORT}:80
+    # Mounts volumes for Caddy data and configuration
+    volumes:
+      - caddy_data:/data
+      - caddy_config:/config
+      - ${CADDY_CONFIG_PATH}:/etc/caddy/Caddyfile:ro
+
+  # Mattermost service configuration
+  mattermost:
+    # Maps host ports to container ports for Mattermost calls (both UDP and TCP)
+    ports:
+      - ${CALLS_PORT}:${CALLS_PORT}/udp
+      - ${CALLS_PORT}:${CALLS_PORT}/tcp
+
+# Defines named volumes for persistent storage of Caddy data and configuration
+volumes:
+  caddy_data:   # Define volume for persistent Caddy config data
+  caddy_config:
+
+# Defines a custom network named 'mattermost' for Let's Encrypt certificate renewal
+networks:
+  default:
+    name: mattermost
diff --git a/docs/caddy-support-mattermost.md b/docs/caddy-support-mattermost.md
new file mode 100644
index 0000000..a0ce478
--- /dev/null
+++ b/docs/caddy-support-mattermost.md
@@ -0,0 +1,157 @@
+
+# Configuring Caddy with Mattermost - Automated TLS
+
+## Why Caddy for TLS Management?
+
+1. **Zero-configuration HTTPS**: Unlike Nginx which requires manual Let's Encrypt certificate setup, Caddy automatically:
+   - Obtains certificates
+   - Renews before expiration
+   - Updates certificates in real-time
+   - Handles OCSP stapling
+
+2. **No Additional Containers**: Unlike the Nginx setup which needs:
+   - Separate certbot container
+   - Manual renewal scripts
+   - Volume mounts for certificates
+   - Systemd timers for renewals
+
+# Configuring Caddy with Mattermost
+
+## Setting up Caddy as reverse proxy
+
+**NOTE:** Commands with a **$** prefix denote those executed as user, **#** as root.
+
+This guide explains how to configure Caddy as a reverse proxy for Mattermost, with automatic HTTPS certificate management.
+
+### 1. Create Caddy configuration directory
+
+```bash
+$ mkdir -p ./caddy
+$ touch ./caddy/Caddyfile
+```
+
+### 2. Basic Caddyfile configuration
+
+Create 
+
+Caddyfile
+
+ with:
+
+```caddyfile
+your-domain.com {
+    reverse_proxy mattermost:8065
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        X-XSS-Protection "1; mode=block"
+    }
+}
+```
+
+### 3. Start Mattermost with Caddy
+
+```bash
+$ docker-compose -f docker-compose.yml -f docker-compose.caddy.yml up -d
+```
+
+### 4. Verify Configuration
+
+```bash
+$ docker logs caddy-mattermost
+```
+
+### 5. Certificate Management
+
+Caddy automatically handles SSL/TLS certificates through Let's Encrypt. Requirements:
+
+- DNS A/CNAME records pointing to your server
+- Ports 80/443 accessible
+- Valid domain name
+
+### 6. Environment Variables
+
+Create `.env` file with:
+
+```plaintext
+CADDY_CONFIG_PATH=./caddy/Caddyfile
+HTTPS_PORT=443
+HTTP_PORT=80
+RESTART_POLICY=unless-stopped
+CADDY_IMAGE_TAG=2.7.4
+```
+
+### 7.Ensure A/CNAME records point to your server
+
+```bash
+dig +short your-domain.com
+```
+
+### 8. Verify Certificate
+
+```bash
+curl -vI https://your-domain.com 2>&1 | grep "SSL certificate"
+```
+
+These configurations provide automatic HTTPS, modern security headers, and reverse proxy functionality for Mattermost.
+
+
+
+
+
+## Setup Guide
+
+### 1. Configure DNS
+
+```bash
+$ # Ensure A/CNAME records point to your server
+$ dig +short your-domain.com
+```
+
+### 2. Basic Caddyfile
+
+```caddyfile
+your-domain.com {
+    reverse_proxy mattermost:8065
+    # TLS configuration is automatic!
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        X-XSS-Protection "1; mode=block"
+    }
+}
+```
+
+### 3. Start Services
+
+```bash
+$ docker-compose -f docker-compose.yml -f docker-compose.caddy.yml up -d
+```
+
+### 4. Verify Certificate
+
+```bash
+$ curl -vI https://your-domain.com 2>&1 | grep "SSL certificate"
+```
+
+## Key Benefits
+
+1. **Automatic Management**
+   - No manual certificate renewal
+   - No certbot configuration
+   - No renewal scripts
+
+2. **Security**
+   - Modern TLS defaults
+   - OCSP stapling enabled
+   - HTTP/2 support
+   - Automatic redirects
+
+3. **High Availability**
+   - Zero-downtime renewals
+   - Certificate rotation
+   - Graceful reloads
+
+This approach significantly simplifies TLS management compared to manual Nginx+certbot setup.
\ No newline at end of file
diff --git a/env.example b/env.example
index 667e6db..9fa5695 100644
--- a/env.example
+++ b/env.example
@@ -32,6 +32,11 @@ POSTGRES_DB=mattermost
 ## Note that this repository requires nginx version 1.25.1 or later
 NGINX_IMAGE_TAG=alpine
 
+# Caddy
+## The folder containing server blocks and any additional config to Caddyfile
+CADDY_CONFIG_PATH=./caddy/Caddyfile
+CADDY_IMAGE_TAG=latest
+
 ## The folder containing server blocks and any additional config to nginx.conf
 NGINX_CONFIG_PATH=./nginx/conf.d
 NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem