misc-docker/Dockerfile.caddy at main · zorbaTheRainy/misc-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# syntax=docker/dockerfile:1

# Build-time args; passed from GitHub actions
# make sure to redeclare these below in each stage (or right before FROM if FROM needs them, erased after FROM)
ARG ARG_01=latest # Caddy version e.g., "2.10.2"
ARG ARG_02=false  # Build for external (WAN) usage, otherwise internal (LAN)
ARG DERIVED_ARG_01="builder"


# ------------------------------------------------------------------
# Modules required
# ------------------------------------------------------------------
# [__] https://github.com/hairyhenderson/caddy-teapot-module
		# http.handlers.teapot
# [01] https://github.com/caddy-dns/cloudflare
		# dns.providers.cloudflare
# [02] https://github.com/WeidiDeng/caddy-cloudflare-ip
		# http.ip_sources.cloudflare
# [03] https://github.com/zhangjiayin/caddy-geoip2
		# geoip2
		# http.handlers.geoip2
# [04] https://github.com/caddyserver/transform-encoder
		# caddy.logging.encoders.formatted
		# caddy.logging.encoders.transform
# [05] https://github.com/hslatman/caddy-crowdsec-bouncer
		# crowdsec
		# http.handlers.crowdsec
		# layer4.matchers.crowdsec
# [06] https://github.com/corazawaf/coraza-caddy
		# http.handlers.waf
# [07] https://github.com/mholt/caddy-l4
		# layer4.handlers.*
		# layer4.matchers.*
		# layer4.proxy.*
		# tls.handshake_match.alpn
# [09] https://github.com/greenpau/caddy-security
        # http.authentication.providers.authorizer authorizes access to endpoints based on the presense and content of JWT token.
        # http.handlers.authenticator implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication.


# Build Caddy with modules

# ---- Build stage ----
ARG DERIVED_ARG_01="builder"
FROM caddy:${DERIVED_ARG_01} AS builder

# Need to redeclare AGRS so RUN can see them <rolls eyes>
ARG ARG_01=latest # Caddy version e.g., "2.10.2"
ARG ARG_02=false  # Build for internal (LAN) usage, otherwise external (WAN)
# ENV CADDY_VERSION="v$ARG_01"
RUN set -eux; \
    PLUGINS=""; \
    # Layer 4 (TCP/UDP) support
    PLUGINS="$PLUGINS --with github.com/mholt/caddy-l4"; \
    # Layer 4 (TCP/UDP) support - JSON schema validation
    PLUGINS="$PLUGINS --with github.com/abiosoft/caddy-json-schema"; \
    # Log encoder module for custom log formats
    PLUGINS="$PLUGINS --with github.com/caddyserver/transform-encoder"; \
    # Cloudflare - IP ranges to identify CF visitors
    PLUGINS="$PLUGINS --with github.com/WeidiDeng/caddy-cloudflare-ip"; \
    # Cloudflare DNS provider
    PLUGINS="$PLUGINS --with github.com/caddy-dns/cloudflare"; \
    # Authentication: Basic, Local, LDAP, OpenID Connect, OAuth 2.0
    PLUGINS="$PLUGINS --with github.com/greenpau/caddy-security"; \
    # Got to love the teapot
    PLUGINS="$PLUGINS --with github.com/hairyhenderson/caddy-teapot-module@v0.0.3-0"; \
    if [ "$ARG_02" = "true" ]; then \
        echo "Building for an external (WAN) usage..."; \
        # GeoIP2 module
        PLUGINS="$PLUGINS --with github.com/zhangjiayin/caddy-geoip2"; \
        # CrowdSec bouncer
        PLUGINS="$PLUGINS --with github.com/hslatman/caddy-crowdsec-bouncer"; \
        # Coraza WAF
        PLUGINS="$PLUGINS --with github.com/corazawaf/coraza-caddy"; \
    else \
        echo "Building for an internal (LAN) usage..."; \
    fi; \
    # echo "CADDY_VERSION: $CADDY_VERSION"; \
    echo "Plugins: $PLUGINS"; \
    xcaddy build $PLUGINS


# ---- Final stage ----
ARG ARG_01=latest # Caddy version e.g., "2.10.2"
FROM caddy:${ARG_01}
# FROM caddy:latest

# Install bash
RUN apk add --no-cache bash
COPY programs/_bash/.bashrc /root/.bashrc
COPY programs/_bash/.profile /root/.profile

# Copy the custom-built Caddy binary
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

# Add metadata labels (visible via `docker inspect`)
ARG ARG_01=latest # Caddy version e.g., "2.10.2"
ARG ARG_02=false  # Build for external (WAN) usage, otherwise internal (LAN)
ARG DERIVED_ARG_01="builder"
ARG VERSION DOCKERFILE IMAGE_FOR_TESTING BUILD_TIME
LABEL org.opencontainers.image.created=${BUILD_TIME}
LABEL org.opencontainers.image.version_custom=${VERSION}
LABEL org.opencontainers.image.dockerfile=${DOCKERFILE}
LABEL org.opencontainers.image.image_for_testing=${IMAGE_FOR_TESTING}
LABEL org.opencontainers.image.arg_01=${ARG_01}
LABEL org.opencontainers.image.arg_02=${ARG_02}
LABEL org.opencontainers.image.DERIVED_ARG_01=${DERIVED_ARG_01}

# EXPOSE and CMD are in the base caddy image