Add Caddy webserver configuration and tutorial on Caddy with Cloudflare DNS in proxy mode

.snippets/webservers/Caddyfile

@@ -0,0 +1,56 @@
+{
+	servers :443 {
+		timeouts {
+			read_body 120s
+		}
+	}
+}
+
+<domain> {
+	root * /var/www/pterodactyl/public
+
+	file_server
+
+	php_fastcgi unix//run/php/php8.1-fpm.sock {
+		root /var/www/pterodactyl/public
+		index index.php
+
+		env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
+		env HTTP_PROXY ""
+		# env HTTPS "on"
+
+		read_timeout 300s
+		dial_timeout 300s
+		write_timeout 300s
+	}
+
+	header Strict-Transport-Security "max-age=16768000; preload;"
+	header X-Content-Type-Options "nosniff"
+	header X-XSS-Protection "1; mode=block;"
+	header X-Robots-Tag "none"
+	header Content-Security-Policy "frame-ancestors 'self'"
+	header X-Frame-Options "DENY"
+	header Referrer-Policy "same-origin"
+
+	request_body {
+		max_size 100m
+	}
+
+	respond /.ht* 403
+
+	log {
+		output file /var/log/caddy/pterodactyl.app-access.log {
+			roll_size 100MiB
+			roll_keep_for 7d
+		}
+		level INFO
+	}
+
+	log {
+		output file /var/log/caddy/pterodcatyl.app-error.log {
+			roll_size 100MiB
+			roll_keep_for 7d
+		}
+		level ERROR
+	}
+}

.snippets/webservers/Caddyfile-nossl

@@ -0,0 +1,56 @@
+{
+	servers :80 {
+		timeouts {
+			read_body 120s
+		}
+	}
+}
+
+http://<domain> {
+	root * /var/www/pterodactyl/public
+
+	file_server
+
+	php_fastcgi unix//run/php/php8.1-fpm.sock {
+		root /var/www/pterodactyl/public
+		index index.php
+
+		env PHP_VALUE "upload_max_filesize = 100M \n post_max_size = 100M"
+		env HTTP_PROXY ""
+		# env HTTPS "on"
+
+		read_timeout 300s
+		dial_timeout 300s
+		write_timeout 300s
+	}
+
+	header Strict-Transport-Security "max-age=16768000; preload;"
+	header X-Content-Type-Options "nosniff"
+	header X-XSS-Protection "1; mode=block;"
+	header X-Robots-Tag "none"
+	header Content-Security-Policy "frame-ancestors 'self'"
+	header X-Frame-Options "DENY"
+	header Referrer-Policy "same-origin"
+
+	request_body {
+		max_size 100m
+	}
+
+	respond /.ht* 403
+
+	log {
+		output file /var/log/caddy/pterodactyl.app-access.log {
+			roll_size 100MiB
+			roll_keep_for 7d
+		}
+		level INFO
+	}
+
+	log {
+		output file /var/log/caddy/pterodcatyl.app-error.log {
+			roll_size 100MiB
+			roll_keep_for 7d
+		}
+		level ERROR
+	}
+}

panel/1.0/webserver_configuration.md

@@ -4,6 +4,10 @@
 When using the SSL configuration you MUST create SSL certificates, otherwise your webserver will fail to start. See the [Creating SSL Certificates](/tutorials/creating_ssl_certificates.html) documentation page to learn how to create these certificates before continuing.
 :::
 
+::: tip
+If you are using [Caddy With Automatic SSL](#caddy-with-automatic-ssl), you do not have to create SSL certificates manually, Caddy will take care of it automatically.
+:::
+
 :::: tabs
 ::: tab "Nginx With SSL"
 First, remove the default NGINX configuration.
@@ -109,6 +113,50 @@ sudo a2enmod rewrite
 sudo systemctl restart apache2
 ```
 
+:::
+::: tab "Caddy With Automatic SSL"
+
+You should paste the contents of the file bellow, replacing `<domain>` with your domain name.
+
+The default config path is `/etc/caddy/Caddyfile`.
+
+<<< @/.snippets/webservers/Caddyfile{9}
+
+::: tip
+If you are using Cloudflare DNS in proxy mode, refer to [this tutorial](/tutorials/creating_ssl_certificates.html#method-3:-caddy-(using-cloudflare-api)), to see how to configure Caddy to use DNS challenge for obtaining SSL certificates.
+:::
+
+### Enabling Configuration
+
+The final step is to validate configuration and restart Caddy.
+
+```bash
+caddy validate --config /etc/caddy/Caddyfile
+
+systemctl restart caddy
+```
+
+:::
+::: tab "Caddy Without SSL"
+
+You should paste the contents of the file bellow, replacing `<domain>` with your domain name.
+
+The default config path is `/etc/caddy/Caddyfile`.
+
+The only two differences are that we have prefixed the `<domain>` with `http://` (or you can use `:80` suffix behind the `<domain>`) and in the global config at `servers` directive, we have changed the port from `:443` to `:80`.
+
+<<< @/.snippets/webservers/Caddyfile-nossl{2,9}
+
+### Enabling Configuration
+
+The final step is to validate configuration and restart Caddy.
+
+```bash
+caddy validate --config /etc/caddy/Caddyfile
+
+systemctl restart caddy
+```
+
 :::
 ::::
 

tutorials/creating_ssl_certificates.md

@@ -139,5 +139,88 @@ After running the script for the first time, it will be added to the crontab aut
 sudo crontab -e
 ```
 
+:::
+::: tab "Method 3: Caddy (using Cloudflare API)"
+This is for advanced users, who are running Cloudflare in proxy mode or do not have access to port `80`.
+
+### Installing Caddy with Cloudflare DNS plugin
+
+Caddy does not come by default with Cloudflare DNS plugin, you need to install it yourself.
+
+There are two main methods:
+
+1. using `xcaddy` - CLI tool to build your own Caddy build
+2. downloading prebuilt binary from [Caddy's download page](https://caddyserver.com/download).
+3. using Ansible to download and install Caddy with plugins. See [caddy-ansible](https://github.com/caddy-ansible/caddy-ansible)
+
+#### Build Caddy using `xcaddy` on your server
+
+Please refer to [Caddy docs on building Caddy](https://caddyserver.com/docs/build#xcaddy).
+
+### Obtaining CloudFlare API Token
+
+After installing acme.sh, we need to fetch a CloudFlare API key. Please make sure that a DNS record (A or CNAME record) is pointing to your target node, and set the cloud to grey (bypassing CloudFlare proxy). Then go to My Profile > API keys and on Global API Key subtab, click on "view", enter your CloudFlare password, and copy the API key to clipboard.
+
+After install Caddy with Cloudflare DNS plugin, we need to fetch a Cloudflare API token. Please make sure that a DNS record (A or CNAME record) is pointing at your target node. Then go to My Profile > API Tokens and on API Tokens click "Create Token". Create API Token > API token templates, at the end of line with "Edit zone DNS", click "Use template". Under **Zone Resources**, select your DNS zone for which you wish to create the API token, click "Continue to summary". Review the API token summary and click "Create Token". And finally copy the API token to clipboard.
+
+### Reconfiguring Caddy to use Cloudflare DNS for obtaining certificates
+
+Create an environment variable file (like `.env`), keep in mind that this file contains secrets and should not be accessed by public.
+
+```bash
+# /etc/caddy/.secrets.env
+CLOUDFLARE_API_TOKEN=<your cloudflare api token>
+```
+
+For security reasons, we recommend setting permissions to `0600` (only owner can read or write to the file).
+
+```bash
+# Set ownership of the `.secrets.env` file to `caddy` system user
+chown caddy:caddy /etc/caddy/.secrets.env
+
+# Set read-write permissions only to owner - the `caddy` system user
+chmod 0600 /etc/caddy/.secrets.env
+```
+
+Modify the systemd unit file, to load environment variables from file (add `--envfile /etc/caddy/.secrets.env` flag to `ExecStart`):
+
+```unit{12}
+# /etc/systemd/system/caddy.service
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --environ --envfile /etc/caddy/.secrets.env --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+```
+
+You can add a `tls` block to your `Caddyfile`, under the `<domain>` block of your panel configuration:
+
+```caddyfile{5-7}
+# /etc/caddy/Caddyfile
+<domain> {
+  # ...
+
+  tls {
+    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+  }
+}
+```
+
 :::
 ::::