Passbolt setup with caddy

I would like to install passbolt very simple.

At the moment, I have to extra configure traefik with https://www.passbolt.com/docs/hosting/configure/https/ce/docker-auto/.

For me, this looks very complicated with a lot of lines to configure.

Could you provide a official setup documentation with caddy?

What I expect is something like this

CaddyFile

passbolt.my-domain.com {
reverse_proxy passbolt
}

and a full complete docker-compose.yml with caddy and passbolt.
ready for copy&paste.

Hi :waving_hand:

version: "3.8"

services:
  passbolt:
    image: passbolt/passbolt:latest-ce
    container_name: passbolt
    environment:
      APP_FULL_BASE_URL: https://passbolt.my-domain.com
      DATASOURCES_DEFAULT_HOST: mariadb
      DATASOURCES_DEFAULT_USERNAME: passbolt
      DATASOURCES_DEFAULT_PASSWORD: secret
      DATASOURCES_DEFAULT_DATABASE: passboltdb

      EMAIL_DEFAULT_FROM: your-email@gmail.com
      EMAIL_TRANSPORT_DEFAULT_HOST: smtp.gmail.com
      EMAIL_TRANSPORT_DEFAULT_PORT: 587
      EMAIL_TRANSPORT_DEFAULT_USERNAME: your-email@gmail.com
      EMAIL_TRANSPORT_DEFAULT_PASSWORD: your-app-password
      EMAIL_TRANSPORT_DEFAULT_TLS: true

      # Optional (for logging/timezone)
      TZ: Europe/Paris
    volumes:
      - gpg:/etc/passbolt/gpg
      - jwt:/etc/passbolt/jwt
    depends_on:
      - mariadb

  mariadb:
    image: mariadb:10.6
    container_name: mariadb
    environment:
      MYSQL_ROOT_PASSWORD: supersecret
      MYSQL_DATABASE: passboltdb
      MYSQL_USER: passbolt
      MYSQL_PASSWORD: secret
    volumes:
      - db_data:/var/lib/mysql

  caddy:
    image: caddy:2
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

volumes:
  db_data:
  gpg:
  jwt:
  caddy_data:
  caddy_config:

Aside your docker-compose.yml, create a Caddyfile with this content:

passbolt.my-domain.com {
  reverse_proxy passbolt:80
}

Can you try and let us know ?

Cheers,

Thank you, this works

So the tutorial is:

  • download docker-compose.yml
  • configure Caddyfile
  • docker-compose up -d

create user

docker compose -f docker-compose-ce.yaml \exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \  passbolt register_user \    -u YOUR_EMAIL \    -f YOUR_NAME \    -l YOUR_LASTNAME \    -r admin" -s /bin/sh www-data

Maybe you can update this simpel tutorial in your get started guide

Thank you for the feedback. You are right, this setup is so much easier than the traefik one and error-proof.

Maybe passbolt team can double-check and replace traefik setup with caddy.

I have to agree with @AnatomicJC, combining Caddy and Passbolt (both under Docker) is really elegant and convenient. Many thanks for sharing your thoughts and a suggested setup on this!

I have a question about extending this Caddy reverse proxy setup to include OAuth authorisation (e.g. using the popular github.com/greenpau/caddy-security module/plugin).

If the Caddyfile entry were extended to include an authorize statement prior to reverse_proxy, e.g.:

{
	order authenticate before respond
	order authorize before basicauth

        security {
		...
	}
}

passbolt.my-domain.com {
	authorize with mypolicy
	reverse_proxy passbolt:80
}

… what would the implications be for Passbolt browser extensions, mobile and desktop apps etc.? Would they try, but fail, to connect because they wouldn’t be granted an access token without interaction with the OAuth step? I assume this would look like a lot of failures on the Caddy logs, which could trigger bouncer (e.g. CrowdSec) remediation/blocking.

Is including an OAuth step within Caddy simply not possible?

Many thanks