1. 架构说明
公网用户
↓ HTTPS
腾讯云轻量服务器 Caddy
↓ WireGuard 隧道
飞牛 OS 服务关键地址:
腾讯云公网 IP:<PUBLIC_IPV4>
飞牛 WireGuard IP:10.66.66.2
Caddy 部署位置:腾讯云轻量服务器
Caddy 运行方式:Docker ComposeCaddy 负责:
1. 对外提供 HTTPS
2. 自动申请 TLS 证书
3. 按域名反代到飞牛内网服务
4. 将公网请求转发到 10.66.66.2:服务端口2. 前置条件
确保 WireGuard 已经连通。
腾讯云执行:
ping -c 4 10.66.66.2测试飞牛服务端口:
curl -I http://10.66.66.2:5666
curl -I http://10.66.66.2:18080能返回 HTTP 响应后,再配置 Caddy。
3. DNS 配置
在域名解析中添加 A 记录,全部指向腾讯云公网 IP:
test.example.com A <PUBLIC_IPV4>
nas.example.com A <PUBLIC_IPV4>
blog.example.com A <PUBLIC_IPV4>
mcs.example.com A <PUBLIC_IPV4>
mcd.example.com A <PUBLIC_IPV4>
minio.example.com A <PUBLIC_IPV4>
s3.example.com A <PUBLIC_IPV4>检查解析:
dig test.example.com +short应返回:
<PUBLIC_IPV4>4. 腾讯云防火墙放行
腾讯云轻量应用服务器控制台放行:
TCP 80
TCP 443如果某个服务必须通过自定义 HTTPS 端口访问,例如:
https://mcd.example.com:24444还需要放行:
TCP 24444系统 UFW 放行:
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 24444/tcp
ufw reload
ufw status5. 安装 Docker 和 Compose
腾讯云执行:
apt update
apt install -y curl ca-certificates gnupg lsb-release
curl -fsSL https://get.docker.com | sh
systemctl enable docker
systemctl start docker
apt install -y docker-compose-plugin可选:配置 Docker 镜像源。
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<'EOF'
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com",
"https://docker.m.daocloud.io",
"https://docker.1ms.run"
],
"dns": [
"223.5.5.5",
"223.6.6.6",
"119.29.29.29",
"8.8.8.8"
]
}
EOF
systemctl daemon-reload
systemctl restart docker6. 创建 Caddy 目录
mkdir -p /opt/nas-gateway/caddy/data
mkdir -p /opt/nas-gateway/caddy/config
mkdir -p /opt/nas-gateway/caddy/site
cd /opt/nas-gateway7. 创建 Docker Compose
cat > /opt/nas-gateway/docker-compose.yml <<'EOF'
services:
caddy:
image: caddy:latest
container_name: caddy
network_mode: host
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
- ./caddy/site:/srv
- ./caddy/data:/data
- ./caddy/config:/config
restart: unless-stopped
EOFnetwork_mode: host 用于让 Caddy 直接监听腾讯云服务器的 80/443 端口。
8. 编写 Caddyfile
根据实际域名和端口修改。
cat > /opt/nas-gateway/caddy/Caddyfile <<'EOF'
# 测试服务
test.example.com {
reverse_proxy 10.66.66.2:18080
}
# 飞牛管理后台,后端 HTTP 5666
nas.example.com {
reverse_proxy 10.66.66.2:5666
}
# WordPress,Docker 外部映射端口 48080
blog.example.com {
reverse_proxy 10.66.66.2:48080 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Port 443
}
}
# MCS Web 管理端
mcs.example.com {
reverse_proxy 10.66.66.2:23333 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Port 443
}
}
# MinIO Console
minio.example.com {
reverse_proxy 10.66.66.2:9001 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
# MinIO S3 API
s3.example.com {
reverse_proxy 10.66.66.2:9000 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
EOF9. MCD 24444 特殊端口配置
如果 MCD 必须通过:
https://mcd.example.com:24444访问,则 Caddyfile 增加:
mcd.example.com:24444 {
encode gzip
reverse_proxy 10.66.66.2:24444 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Port 24444
header_up X-Forwarded-Ssl on
header_up Upgrade {http.request.header.Upgrade}
header_up Connection {http.request.header.Connection}
flush_interval -1
}
}如果 MCD 后端开启了 HTTPS 且使用自签证书,则改为:
mcd.example.com:24444 {
encode gzip
reverse_proxy https://10.66.66.2:24444 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Port 24444
header_up X-Forwarded-Ssl on
header_up Upgrade {http.request.header.Upgrade}
header_up Connection {http.request.header.Connection}
transport http {
tls_insecure_skip_verify
}
flush_interval -1
}
}推荐方式:
MCD 后端 ssl=false
Caddy 对外提供 HTTPS
Caddy 到后端走 HTTP10. 启动 Caddy
cd /opt/nas-gateway
docker compose up -d caddy查看日志:
docker logs -f caddy验证配置:
docker exec -it caddy caddy validate --config /etc/caddy/Caddyfile11. 重载或重启 Caddy
修改 Caddyfile 后执行:
cd /opt/nas-gateway
docker compose restart caddy查看日志:
docker logs --tail=120 caddy12. 验证访问
腾讯云本机测试 Caddy:
curl -I -H "Host: test.example.com" http://127.0.0.1测试 HTTPS:
curl -Ik https://test.example.com测试后端:
curl -I http://10.66.66.2:18080
curl -I http://10.66.66.2:5666
curl -I http://10.66.66.2:48080
curl -I http://10.66.66.2:23333如果是 HTTPS 后端:
curl -Ik https://10.66.66.2:2444413. 常见问题
13.1 Caddy 未启动
表现:
DNS 正确
WireGuard 正常
curl 后端正常
域名访问不了处理:
cd /opt/nas-gateway
docker compose up -d caddy
docker logs -f caddy13.2 80/443 被其他服务占用
检查:
ss -tulpn | grep -E ':80|:443'如果 nginx 占用腾讯云 80/443:
systemctl stop nginx
systemctl disable nginx如果是 Docker nginx:
docker ps
docker stop <容器名或ID>
docker rm <容器名或ID>然后重启 Caddy:
cd /opt/nas-gateway
docker compose restart caddy13.3 后端 HTTP/HTTPS 写反
如果:
curl -Ik https://10.66.66.2:24444报:
wrong version number说明后端是 HTTP,Caddy 应写:
reverse_proxy 10.66.66.2:24444如果:
curl -I http://10.66.66.2:24444返回:
Empty reply from server但:
curl -Ik https://10.66.66.2:24444能通,说明后端是 HTTPS,Caddy 应写:
reverse_proxy https://10.66.66.2:24444 {
transport http {
tls_insecure_skip_verify
}
}13.4 Caddy 返回 502
查看日志:
docker logs --tail=120 caddy常见原因:
1. 后端服务没启动
2. 后端端口写错
3. 后端 HTTP/HTTPS 写反
4. 后端使用自签 HTTPS,但 Caddy 未设置 tls_insecure_skip_verify
5. 后端服务不接受当前 Host13.5 Socket.IO / WebSocket 服务异常
如果日志中出现:
/socket.io/
EOF
status 502Caddy 配置中加入:
header_up Upgrade {http.request.header.Upgrade}
header_up Connection {http.request.header.Connection}
flush_interval -1并检查服务自身配置:
public_url = https://对应域名
trust_proxy = true
ssl = false14. 生产建议
14.1 飞牛管理后台加 Basic Auth
生成密码 hash:
docker run --rm caddy:latest caddy hash-passwordCaddyfile 示例:
nas.example.com {
basicauth {
admin <HASH>
}
reverse_proxy 10.66.66.2:5666
}14.2 数据库不走 Caddy
MySQL 不是 HTTP 协议,不应使用普通 Caddy 反代。
推荐:
MySQL 只走 WireGuard 内网访问
Host: 10.66.66.2
Port: 3306或使用 Adminer/phpMyAdmin 这类 Web 工具,再通过 Caddy 暴露。
15. 最终维护命令
cd /opt/nas-gateway
docker compose ps
docker logs -f caddy
docker compose restart caddy
docker compose pull
docker compose up -d
docker image prune -f