caddy Docker 镜像 - 轩辕镜像

Quick reference

• Maintained by:
  the Caddy Docker Maintainers

• Where to get help:
  the Caddy Community Forums

Supported tags and respective Dockerfile links

(See "What's the difference between 'Shared' and 'Simple' tags?" in the FAQ.)

Simple Tags

• 2.11.0-beta.1-alpine, 2.11-alpine

• 2.11.0-beta.1-builder-alpine, 2.11-builder-alpine

• 2.11.0-beta.1-windowsservercore-ltsc2022, 2.11-windowsservercore-ltsc2022

• 2.11.0-beta.1-windowsservercore-ltsc2025, 2.11-windowsservercore-ltsc2025

• 2.11.0-beta.1-nanoserver-ltsc2022, 2.11-nanoserver-ltsc2022

• 2.11.0-beta.1-nanoserver-ltsc2025, 2.11-nanoserver-ltsc2025

• 2.11.0-beta.1-builder-windowsservercore-ltsc2022, 2.11-builder-windowsservercore-ltsc2022

• 2.11.0-beta.1-builder-windowsservercore-ltsc2025, 2.11-builder-windowsservercore-ltsc2025

• 2.10.2-alpine, 2.10-alpine, 2-alpine, alpine

• 2.10.2-builder-alpine, 2.10-builder-alpine, 2-builder-alpine, builder-alpine

• 2.10.2-windowsservercore-ltsc2022, 2.10-windowsservercore-ltsc2022, 2-windowsservercore-ltsc2022, windowsservercore-ltsc2022

• 2.10.2-windowsservercore-ltsc2025, 2.10-windowsservercore-ltsc2025, 2-windowsservercore-ltsc2025, windowsservercore-ltsc2025

• 2.10.2-nanoserver-ltsc2022, 2.10-nanoserver-ltsc2022, 2-nanoserver-ltsc2022, nanoserver-ltsc2022

• 2.10.2-nanoserver-ltsc2025, 2.10-nanoserver-ltsc2025, 2-nanoserver-ltsc2025, nanoserver-ltsc2025

• 2.10.2-builder-windowsservercore-ltsc2022, 2.10-builder-windowsservercore-ltsc2022, 2-builder-windowsservercore-ltsc2022, builder-windowsservercore-ltsc2022

• 2.10.2-builder-windowsservercore-ltsc2025, 2.10-builder-windowsservercore-ltsc2025, 2-builder-windowsservercore-ltsc2025, builder-windowsservercore-ltsc2025

Shared Tags

• 2.11.0-beta.1, 2.11:

  • 2.11.0-beta.1-alpine
  • 2.11.0-beta.1-windowsservercore-ltsc2022
  • 2.11.0-beta.1-windowsservercore-ltsc2025

• 2.11.0-beta.1-builder, 2.11-builder:

  • 2.11.0-beta.1-builder-alpine
  • 2.11.0-beta.1-builder-windowsservercore-ltsc2022
  • 2.11.0-beta.1-builder-windowsservercore-ltsc2025

• 2.11.0-beta.1-windowsservercore, 2.11-windowsservercore:

  • 2.11.0-beta.1-windowsservercore-ltsc2022
  • 2.11.0-beta.1-windowsservercore-ltsc2025

• 2.11.0-beta.1-nanoserver, 2.11-nanoserver:

  • 2.11.0-beta.1-nanoserver-ltsc2022
  • 2.11.0-beta.1-nanoserver-ltsc2025

• 2.10.2, 2.10, 2, latest:

  • 2.10.2-alpine
  • 2.10.2-windowsservercore-ltsc2022
  • 2.10.2-windowsservercore-ltsc2025

• 2.10.2-builder, 2.10-builder, 2-builder, builder:

  • 2.10.2-builder-alpine
  • 2.10.2-builder-windowsservercore-ltsc2022
  • 2.10.2-builder-windowsservercore-ltsc2025

• 2.10.2-windowsservercore, 2.10-windowsservercore, 2-windowsservercore, windowsservercore:

  • 2.10.2-windowsservercore-ltsc2022
  • 2.10.2-windowsservercore-ltsc2025

• 2.10.2-nanoserver, 2.10-nanoserver, 2-nanoserver, nanoserver:

  • 2.10.2-nanoserver-ltsc2022
  • 2.10.2-nanoserver-ltsc2025

Quick reference (cont.)

• Where to file issues:
  [***]

• Supported architectures: (more info)
  amd64, arm32v6, arm32v7, arm64v8, ppc64le, riscv64, s390x, windows-amd64

• Published image artifact details:
  repo-info repo's repos/caddy/ directory (history)
  (image metadata, transfer size, etc)

• Image updates:
  official-images repo's library/caddy label
  official-images repo's library/caddy file (history)

• Source of this description:
  docs repo's caddy/ directory (history)

!logo

What is Caddy?

Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.

How to use this image

⚠️ A note about persisted data

Caddy requires write access to two locations: a data directory, and a configuration directory. While it's not necessary to persist the files stored in the configuration directory, it can be convenient. However, it's very important to persist the data directory.

From the docs:

The data directory must not be treated as a cache. Its contents are not ephemeral or merely for the sake of performance. Caddy stores TLS certificates, private keys, OCSP staples, and other necessary information to the data directory. It should not be purged without an understanding of the implications.

This image provides for two mount-points for volumes: /data and /config.

In the examples below, a named volume caddy_data is mounted to /data, so that data will be persisted.

Note that named volumes are persisted across container restarts and terminations, so if you move to a new image version, the same data and config directories can be re-used.

Basic Usage

The default config file simply serves files from /usr/share/caddy, so if you want to serve index.html from the current working directory:

console
$ echo "hello world" > index.html
$ docker run -d -p 80:80 \
    -v $PWD/index.html:/usr/share/caddy/index.html \
    -v caddy_data:/data \
    caddy
...
$ curl http://localhost/
hello world

To override the default Caddyfile, you can create one in the subfolder conf at $PWD/conf/Caddyfile and mount this folder at /etc/caddy:

console
$ docker run -d -p 80:80 \
    -v $PWD/conf:/etc/caddy \
    -v caddy_data:/data \
    caddy

⚠️ Do not mount the Caddyfile directly at /etc/caddy/Caddyfile

If vim or another editor is used that changes the inode of the edited file, the changes will only be applied within the container when the container is recreated, which is explained in detail in this Medium article. When using such an editor, Caddy's graceful reload functionality might not work as expected, as described in this issue.

Automatic TLS with the Caddy image

The default Caddyfile only listens to port 80, and does not set up automatic TLS. However, if you have a domain name for your site, and its A/AAAA DNS records are properly pointed to this machine's public IP, then you can use this command to simply serve a site over HTTPS:

console
$ docker run -d --cap-add=NET_ADMIN -p 80:80 -p 443:443 -p 443:443/udp \
    -v /site:/srv \
    -v caddy_data:/data \
    -v caddy_config:/config \
    caddy caddy file-server --domain example.com

The key here is that Caddy is able to listen to ports 80 and 443, both required for the ACME HTTP challenge.

See Caddy's docs for more information on automatic HTTPS support!

Building your own Caddy-based image

Most users deploying production sites will not want to rely on mounting files into a container, but will instead base their own images on caddy:

Dockerfile
# note: never use the :latest tag in a production site
FROM caddy:<version>

COPY Caddyfile /etc/caddy/Caddyfile
COPY site /srv

Adding custom Caddy modules

Caddy is extendable through the use of "modules". See [***] for full details. You can find a list of available modules on the Caddy website's download page.

You can use the :builder image as a short-cut to building a new Caddy binary:

Dockerfile
FROM caddy:<version>-builder AS builder

RUN xcaddy build \
    --with github.com/caddyserver/nginx-adapter \
    --with github.com/hairyhenderson/caddy-teapot-module@v0.0.3-0

FROM caddy:<version>

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Note the second FROM instruction - this produces a much smaller image by simply overlaying the newly-built binary on top of the regular caddy image.

The xcaddy tool is used to build a new Caddy entrypoint, with the provided modules. You can specify just a module name, or a name with a version (separated by @). You can also specify a specific version (can be a version tag or commit hash) of Caddy to build from. Read more about xcaddy usage.

Note that the "standard" Caddy modules (github.com/caddyserver/caddy/master/modules/standard) are always included.

Graceful reloads

Caddy does not require a full restart when configuration is changed. Caddy comes with a caddy reload command which can be used to reload its configuration with zero downtime.

When running Caddy in Docker, the recommended way to trigger a config reload is by executing the caddy reload command in the running container.

First, you'll need to determine your container ID or name. Then, pass the container ID to docker exec. The working directory is set to /etc/caddy so Caddy can find your Caddyfile without additional arguments.

console
$ caddy_container_id=$(docker ps | grep caddy | awk '{print $1;}')
$ docker exec -w /etc/caddy $caddy_container_id caddy reload

Linux capabilities

Caddy ships with HTTP/3 support enabled by default. To improve the performance of this UDP based protocol, the underlying quic-go library tries to increase the buffer sizes for its socket. The NET_ADMIN capability allows it to override the low default limits of the operating system without having to change kernel parameters via sysctl.

Giving the container this capability is optional and has potential, though unlikely, to have security implications.

See [***] for more details.

Docker Compose example

If you prefer to use docker compose to run your stack, here's a sample service definition which goes in a file named compose.yaml. The configuration assumes you put a custom Caddyfile into $PWD/conf as described above.

yaml
services:
  caddy:
    image: caddy:<version>
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - $PWD/conf:/etc/caddy
      - $PWD/site:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

Graceful reloads can then be conducted via docker compose exec -w /etc/caddy caddy caddy reload.

Image Variants

The caddy images come in many flavors, each designed for a specific use case.

caddy:<version>

This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.

caddy:<version>-alpine

This image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

This variant is useful when final image size being as small as possible is your primary concern. The main caveat to note is that it does use musl libc instead of glibc and friends, so software will often run into issues depending on the depth of their libc requirements/assumptions. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

To minimize image size, it's uncommon for additional related tools (such as git or bash) to be included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar).

caddy:<version>-windowsservercore

This image is based on Windows Server Core (mcr.microsoft.com/windows/servercore). As such, it only works in places which that image does, such as Windows 10 Professional/Enterprise (Anniversary Edition) or Windows Server 2016.

For information about how to get Docker running on Windows, please see the relevant "Quick Start" guide provided by Microsoft:

• Windows Containers Quick Start

License

View license information for the software contained in this image.

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

Some additional license information which was able to be auto-detected might be found in the repo-info repository's caddy/ directory.

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.