Install Caddy with rate limiting plugin for ARM64 deployment

- Install Go 1.21.5 for ARM64 architecture - Use xcaddy to build Caddy with caddy-ratelimit plugin - Create custom systemd service for plugin-enabled Caddy - Restore rate limiting configuration in Caddyfile - Production-ready setup with proper security and rate limiting - Automatic SSL with enhanced protection against API abuse
2025-07-03 00:44:29 -04:00 · 2025-07-03 00:44:29 -04:00 · c95d159a95
commit c95d159a95
parent 3d3eb2fd3b
2 changed files with 60 additions and 9 deletions
--- a/scripts/Caddyfile
+++ b/scripts/Caddyfile
@ -41,7 +41,7 @@ yourdomain.com {
    # Gzip compression
    encode gzip zstd
    
-    # Logging for security monitoring
+    # Logging for monitoring
    log {
        output file /var/log/caddy/icewatch.log {
            roll_size 100MB
@ -50,7 +50,7 @@ yourdomain.com {
        format json
    }
    
-    # Rate limiting for API endpoints
+    # Rate limiting for API endpoints (requires caddy-ratelimit plugin)
    rate_limit {
        zone api {
            key {remote_host}
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@ -16,13 +16,64 @@ echo "📦 Installing Node.js..."
 curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
 sudo apt install -y nodejs build-essential

-# Install Caddy for reverse proxy
-echo "📦 Installing Caddy..."
-sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
-sudo apt update
-sudo apt install caddy
+# Install Go (required for xcaddy)
+echo "📦 Installing Go..."
+wget -q https://go.dev/dl/go1.21.5.linux-arm64.tar.gz
+sudo rm -rf /usr/local/go
+sudo tar -C /usr/local -xzf go1.21.5.linux-arm64.tar.gz
+export PATH=$PATH:/usr/local/go/bin
+echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
+
+# Install xcaddy to build Caddy with plugins
+echo "📦 Installing xcaddy..."
+go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
+export PATH=$PATH:$(go env GOPATH)/bin
+
+# Build Caddy with rate limiting plugin
+echo "🔧 Building Caddy with rate limiting plugin..."
+xcaddy build --with github.com/mholt/caddy-ratelimit
+
+# Install the custom Caddy binary
+echo "📦 Installing custom Caddy..."
+sudo mv caddy /usr/local/bin/caddy
+sudo chmod +x /usr/local/bin/caddy
+
+# Create Caddy user and directories
+sudo groupadd --system caddy
+sudo useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin caddy
+sudo mkdir -p /etc/caddy /var/log/caddy
+sudo chown -R caddy:caddy /var/log/caddy
+
+# Create systemd service for custom Caddy
+echo "⚙️ Creating Caddy systemd service..."
+sudo tee /etc/systemd/system/caddy.service > /dev/null <<EOF
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=1048576
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Clean up Go archive
+rm -f go1.21.5.linux-arm64.tar.gz
+
+echo "✅ Caddy with rate limiting plugin installed successfully!"

 # Create app directory
 echo "📁 Setting up app directory..."