Browse Source

feat: caddy2

jonssonyan 2 years ago
parent
commit
9caab80006
1 changed files with 200 additions and 84 deletions
  1. 200 84
      install_script.sh

+ 200 - 84
install_script.sh

@@ -26,16 +26,22 @@ init_var() {
 
   # Caddy
   CADDY_DATA="/tpdata/caddy/"
-  CADDY_Caddyfile="/tpdata/caddy/Caddyfile"
+  CADDY_Config="/tpdata/caddy/config.json"
   CADDY_SRV="/tpdata/caddy/srv/"
-  CADDY_ACME="/tpdata/caddy/acme/"
+  CADDY_CERT="/tpdata/caddy/cert/"
   DOMAIN_FILE="/tpdata/caddy/domain.lock"
+  CADDY_CRT_DIR="/tpdata/caddy/cert/certificates/acme-v02.api.letsencrypt.org-directory/"
+  CADDY_KEY_DIR="/tpdata/caddy/cert/certificates/acme.zerossl.com-v2-dv90/"
   domain=""
   caddy_remote_port=8863
-  your_email="[email protected]"
+  your_email=""
+  ssl_option=1
+  ssl_module_type=1
+  ssl_module="acme"
   crt_path=""
   key_path=""
-  ssl_option=1
+  caddy_crt_path="/tpdata/caddy/cert/server.crt"
+  caddy_key_path="/tpdata/caddy/cert/server.key"
 
   # MariaDB
   MARIA_DATA="/tpdata/mariadb/"
@@ -109,9 +115,9 @@ mkdir_tools() {
 
   # Caddy
   mkdir -p ${CADDY_DATA}
-  touch ${CADDY_Caddyfile}
+  touch ${CADDY_Config}
   mkdir -p ${CADDY_SRV}
-  mkdir -p ${CADDY_ACME}
+  mkdir -p ${CADDY_CERT}
 
   # MariaDB
   mkdir -p ${MARIA_DATA}
@@ -250,9 +256,10 @@ install_caddy_tls() {
     wget --no-check-certificate -O ${CADDY_DATA}html.tar.gz ${STATIC_HTML} &&
       tar -zxvf ${CADDY_DATA}html.tar.gz -C ${CADDY_SRV}
 
-    read -r -p "请输入Caddy的转发端口(用于申请证书,默认:8863): " caddy_remote_port
+    read -r -p "请输入Caddy的转发端口(默认:8863): " caddy_remote_port
     [[ -z "${caddy_remote_port}" ]] && caddy_remote_port=8863
 
+    echo_content yellow "提示:请确认域名已经解析到本机 否则可能安装失败"
     while read -r -p "请输入你的域名(必填): " domain; do
       if [[ -z "${domain}" ]]; then
         echo_content red "域名不能为空"
@@ -261,91 +268,198 @@ install_caddy_tls() {
       fi
     done
 
-    mkdir "${CADDY_ACME}${domain}"
+    read -r -p "请输入你的邮箱(可选): " your_email
 
     while read -r -p "请选择设置证书的方式?(1/自动申请和续签证书 2/手动设置证书路径 默认:1/自动申请和续签证书): " ssl_option; do
       if [[ -z ${ssl_option} || ${ssl_option} == 1 ]]; then
-
-        echo_content yellow "正在检测域名,请稍后..."
-        ping_ip=$(ping "${domain}" -s1 -c1 | grep "ttl=" | head -n1 | cut -d"(" -f2 | cut -d")" -f1)
-        curl_ip=$(curl ifconfig.me)
-        if [[ "${ping_ip}" != "${curl_ip}" ]]; then
-          echo_content yellow "你的域名没有解析到本机IP,请稍后再试"
-          echo_content red "---> Caddy安装失败"
-          exit 0
-        fi
-
-        read -r -p "请输入你的邮箱(用于申请证书,默认:[email protected]): " your_email
-        [[ -z "${your_email}" ]] && your_email="[email protected]"
-
-        cat >${CADDY_Caddyfile} <<EOF
-http://${domain}:80 {
-    redir https://${domain}:${caddy_remote_port}{url}
-}
-https://${domain}:${caddy_remote_port} {
-    gzip
-    tls ${your_email}
-    root ${CADDY_SRV}
-}
-EOF
+        while read -r -p "请选择申请证书的方式(1/acme 2/zerossl 默认:1/acme): " ssl_module_type; do
+          if [[ -z "${ssl_module_type}" || ${ssl_module_type} == 1 ]]; then
+            ssl_module="acme"
+            break
+          elif [[ ${ssl_module_type} == 2 ]]; then
+            ssl_module="zerossl"
+            break
+          else
+            echo_content red "不可以输入除1和2之外的其他字符"
+          fi
+        done
         break
-      else
-        if [[ ${ssl_option} != 2 ]]; then
-          echo_content red "不可以输入除1和2之外的其他字符"
-        else
-
-          while read -r -p "请输入证书的.crt文件路径(必填): " crt_path; do
-            if [[ -z "${crt_path}" ]]; then
-              echo_content red "路径不能为空"
+      elif [[ ${ssl_option} == 2 ]]; then
+        while read -r -p "请输入证书的.crt文件路径(必填): " crt_path; do
+          if [[ -z "${crt_path}" ]]; then
+            echo_content red "路径不能为空"
+          else
+            if [[ ! -f "${crt_path}" ]]; then
+              echo_content red "证书的.crt文件路径不存在"
             else
-              if [[ ! -f "${crt_path}" ]]; then
-                echo_content red "证书的.crt文件路径不存在"
-              else
-                cp "${crt_path}" "${CADDY_ACME}${domain}/${domain}.crt"
-                break
-              fi
+              cp "${crt_path}" "${caddy_crt_path}"
+              break
             fi
-          done
-
-          while read -r -p "请输入证书的.key文件路径(必填): " key_path; do
-            if [[ -z "${key_path}" ]]; then
-              echo_content red "路径不能为空"
+          fi
+        done
+
+        while read -r -p "请输入证书的.key文件路径(必填): " key_path; do
+          if [[ -z "${key_path}" ]]; then
+            echo_content red "路径不能为空"
+          else
+            if [[ ! -f "${key_path}" ]]; then
+              echo_content red "证书的.key文件路径不存在"
             else
-              if [[ ! -f "${key_path}" ]]; then
-                echo_content red "证书的.key文件路径不存在"
-              else
-                cp "${key_path}" "${CADDY_ACME}${domain}/${domain}.key"
-                break
-              fi
+              cp "${key_path}" "${caddy_key_path}"
+              break
             fi
-          done
+          fi
+        done
+        break
+      else
+        echo_content red "不可以输入除1和2之外的其他字符"
+      fi
+    done
 
-          cat >${CADDY_Caddyfile} <<EOF
-http://${domain}:80 {
-    redir https://${domain}:${caddy_remote_port}{url}
-}
-https://${domain}:${caddy_remote_port} {
-    gzip
-    tls /root/.caddy/acme/acme-v02.api.letsencrypt.org/sites/${domain}/${domain}.crt /root/.caddy/acme/acme-v02.api.letsencrypt.org/sites/${domain}/${domain}.key
-    root ${CADDY_SRV}
+    cat >${CADDY_Config} <<EOF
+{
+    "admin": {
+        "disabled": true
+    },
+    "logging": {
+        "sink": {
+            "writer": {
+                "output": "discard"
+            }
+        },
+        "logs": {
+            "default": {
+                "writer": {
+                    "output": "discard"
+                }
+            }
+        }
+    },
+    "storage": {
+        "module": "file_system",
+        "root": "${CADDY_CERT}"
+    },
+    "apps": {
+        "http": {
+            "servers": {
+                "srv0": {
+                    "listen": [
+                        ":80"
+                    ],
+                    "routes": [
+                        {
+                            "match": [
+                                {
+                                    "host": [
+                                        "${domain}"
+                                    ]
+                                }
+                            ],
+                            "handle": [
+                                {
+                                    "handler": "static_response",
+                                    "headers": {
+                                        "Location": [
+                                            "https://{http.request.host}:${caddy_remote_port}{http.request.uri}"
+                                        ]
+                                    },
+                                    "status_code": 301
+                                }
+                            ]
+                        }
+                    ]
+                },
+                "srv1": {
+                    "listen": [
+                        ":${caddy_remote_port}"
+                    ],
+                    "routes": [
+                        {
+                            "handle": [
+                                {
+                                    "handler": "subroute",
+                                    "routes": [
+                                        {
+                                            "match": [
+                                                {
+                                                    "host": [
+                                                        "${domain}"
+                                                    ]
+                                                }
+                                            ],
+                                            "handle": [
+                                                {
+                                                    "handler": "file_server",
+                                                    "root": "${CADDY_SRV}",
+                                                    "index_names": [
+                                                        "index.html",
+                                                        "index.htm"
+                                                    ]
+                                                }
+                                            ],
+                                            "terminal": true
+                                        }
+                                    ]
+                                }
+                            ]
+                        }
+                    ],
+                    "tls_connection_policies": [
+                        {
+                            "match": {
+                                "sni": [
+                                    "${domain}"
+                                ]
+                            }
+                        }
+                    ],
+                    "automatic_https": {
+                        "disable": true
+                    }
+                }
+            }
+        },
+        "tls": {
+            "certificates": {
+                "automate": [
+                    "${domain}"
+                ],
+                "load_files": [
+                    {
+                        "certificate": "${caddy_crt_path}",
+                        "key": "${caddy_key_path}"
+                    }
+                ]
+            },
+            "automation": {
+                "policies": [
+                    {
+                        "issuers": [
+                            {
+                                "module": "${ssl_module}",
+                                "email": "${your_email}"
+                            }
+                        ]
+                    }
+                ]
+            }
+        }
+    }
 }
 EOF
-          break
-        fi
-      fi
-    done
 
     if [[ -n $(lsof -i:80,443 -t) ]]; then
       kill -9 "$(lsof -i:80,443 -t)"
     fi
 
-    docker pull teddysun/caddy:1.0.5 &&
+    docker pull caddy:2.6.2 &&
       docker run -d --name trojan-panel-caddy --restart always \
         --network=host \
-        -v ${CADDY_Caddyfile}:"/etc/caddy/Caddyfile" \
-        -v ${CADDY_ACME}:"/root/.caddy/acme/acme-v02.api.letsencrypt.org/sites/" \
+        -v "${CADDY_Config}":"${CADDY_Config}" \
+        -v ${caddy_crt_path}:"${CADDY_CRT_DIR}${domain}/${domain}.crt" \
+        -v ${caddy_key_path}:"${CADDY_KEY_DIR}${domain}/${domain}.key" \
         -v ${CADDY_SRV}:${CADDY_SRV} \
-        teddysun/caddy:1.0.5
+        caddy:2.6.2 caddy run --config ${CADDY_Config}
 
     if [[ -n $(docker ps -q -f "name=^trojan-panel-caddy$" -f "status=running") ]]; then
       cat >${DOMAIN_FILE} <<EOF
@@ -533,8 +647,8 @@ server {
 
     #强制ssl
     ssl on;
-    ssl_certificate      ${CADDY_ACME}${domain}/${domain}.crt;
-    ssl_certificate_key  ${CADDY_ACME}${domain}/${domain}.key;
+    ssl_certificate      ${caddy_crt_path};
+    ssl_certificate_key  ${caddy_key_path};
     #缓存有效期
     ssl_session_timeout  5m;
     #安全链接可选的加密协议
@@ -603,7 +717,7 @@ EOF
       docker run -d --name trojan-panel-ui --restart always \
         --network=host \
         -v ${NGINX_CONFIG}:/etc/nginx/conf.d/default.conf \
-        -v ${CADDY_ACME}"${domain}":${CADDY_ACME}"${domain}" \
+        -v ${CADDY_CERT}:${CADDY_CERT} \
         jonssonyan/trojan-panel-ui
 
     if [[ -n $(docker ps -q -f "name=^trojan-panel-ui$" -f "status=running") ]]; then
@@ -624,7 +738,7 @@ EOF
   echo_content yellow "Redis的密码(请妥善保存): ${redis_pass}"
   echo_content yellow "管理面板地址: ${https_flag}://${domain}:${trojan_panel_ui_port}"
   echo_content yellow "系统管理员 默认用户名: sysadmin 默认密码: 123456 请及时登陆管理面板修改密码"
-  echo_content yellow "Trojan Panel私钥和证书目录: ${CADDY_ACME}${domain}/"
+  echo_content yellow "Trojan Panel私钥和证书目录: ${CADDY_CERT}"
   echo_content red "\n=============================================================="
 }
 
@@ -673,7 +787,7 @@ install_trojan_panel_core() {
         -v ${TROJAN_PANEL_CORE_DATA}bin/hysteria/config:${TROJAN_PANEL_CORE_DATA}bin/hysteria/config \
         -v ${TROJAN_PANEL_CORE_DATA}bin/naiveproxy/config:${TROJAN_PANEL_CORE_DATA}bin/naiveproxy/config \
         -v ${TROJAN_PANEL_CORE_LOGS}:${TROJAN_PANEL_CORE_LOGS} \
-        -v ${CADDY_ACME}:${CADDY_ACME} \
+        -v ${CADDY_CERT}:${CADDY_CERT} \
         -v ${CADDY_SRV}:${CADDY_SRV} \
         -v /etc/localtime:/etc/localtime \
         -e "mariadb_ip=${mariadb_ip}" \
@@ -685,8 +799,8 @@ install_trojan_panel_core() {
         -e "redis_host=${redis_host}" \
         -e "redis_port=${redis_port}" \
         -e "redis_pass=${redis_pass}" \
-        -e "crt_path=${CADDY_ACME}${domain}/${domain}.crt" \
-        -e "key_path=${CADDY_ACME}${domain}/${domain}.key" \
+        -e "crt_path=${caddy_crt_path}" \
+        -e "key_path=${caddy_key_path}" \
         jonssonyan/trojan-panel-core
     if [[ -n $(docker ps -q -f "name=^trojan-panel-core$" -f "status=running") ]]; then
       echo_content skyBlue "---> Trojan Panel Core安装完成"
@@ -703,7 +817,7 @@ install_trojan_panel_core() {
 update__trojan_panel_database() {
   echo_content skyBlue "---> 更新Trojan Panel数据结构"
 
- if [[ "${trojan_panel_current_version}" == "1.3.0" ]]; then
+  if [[ "${trojan_panel_current_version}" == "1.3.0" ]]; then
     docker exec trojan-panel-mariadb mysql -h"${mariadb_ip}" -P"${mariadb_port}" -u"${mariadb_user}" -p"${mariadb_pas}" -e "${tp_sql_130_131}" &>/dev/null &&
       trojan_panel_current_version="1.3.1"
   fi
@@ -802,7 +916,7 @@ update_trojan_panel() {
       docker run -d --name trojan-panel-ui --restart always \
         --network=host \
         -v ${NGINX_CONFIG}:/etc/nginx/conf.d/default.conf \
-        -v ${CADDY_ACME}"${domain}":${CADDY_ACME}"${domain}" \
+        -v ${CADDY_CERT}:${CADDY_CERT} \
         jonssonyan/trojan-panel-ui
 
     if [[ -n $(docker ps -q -f "name=^trojan-panel-ui$" -f "status=running") ]]; then
@@ -879,7 +993,7 @@ update_trojan_panel_core() {
         --network=host \
         -v ${TROJAN_PANEL_CORE_DATA}bin:${TROJAN_PANEL_CORE_DATA}bin \
         -v ${TROJAN_PANEL_CORE_LOGS}:${TROJAN_PANEL_CORE_LOGS} \
-        -v ${CADDY_ACME}:${CADDY_ACME} \
+        -v ${CADDY_CERT}:${CADDY_CERT} \
         -v /etc/localtime:/etc/localtime \
         -e "mariadb_ip=${mariadb_ip}" \
         -e "mariadb_port=${mariadb_port}" \
@@ -890,6 +1004,8 @@ update_trojan_panel_core() {
         -e "redis_host=${redis_host}" \
         -e "redis_port=${redis_port}" \
         -e "redis_pass=${redis_pass}" \
+        -e "crt_path=${caddy_crt_path}" \
+        -e "key_path=${caddy_key_path}" \
         jonssonyan/trojan-panel-core
 
     if [[ "$?" == "0" ]]; then
@@ -1066,7 +1182,7 @@ failure_testing() {
         echo_content red "---> Caddy TLS运行异常"
       fi
       domain=$(cat "${DOMAIN_FILE}")
-      if [[ -z $(cat "${DOMAIN_FILE}") || ! -d "${CADDY_ACME}${domain}" || ! -f "${CADDY_ACME}${domain}/${domain}.crt" ]]; then
+      if [[ -z $(cat "${DOMAIN_FILE}") || ! -d "${CADDY_CERT}" || ! -f "${caddy_crt_path}" ]]; then
         echo_content red "---> 证书申请异常,请尝试重启服务器将重新申请证书或者重新搭建选择自定义证书选项"
       fi
     fi