Exposing an Instance to the Internet
In this tutorial, you will learn how to expose a Caido instance to the internet.
DANGER
If Guest Mode is enabled, the Caido instance will be publicly accessible without authentication. For security and confidentiality, ensure to disable Guest Mode before exposing an instance to the internet.
NOTE
Ensure to replace user with your username, example.com with your domain, user@example.com with your email address, and account for any currently running processes by changing the ports.
Nginx Configuration
To logically separate the internet-exposed Caido instance from your existing setup, create a new subdomain by adding a A record for
caido.example.comfor the IP address of your server.SSH into your server.
Create a new
sites-availablefile and use theproxy_passdirective to route traffic to Caido:sudo nano /etc/nginx/sites-available/caido.example.com
server {
server_name caido.example.com;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 80;
listen [::]:80;
}- Make the site available, test the configuration, and reload the web server:
sudo ln -s /etc/nginx/sites-available/caido.example.com /etc/nginx/sites-enabled/sudo nginx -tsudo systemctl reload nginx- Obtain a SSL/TLS certificate:
sudo certbot --nginx -d caido.example.com- Launch the Caido CLI:
caido-cli --ui-listen 127.0.0.1:8081 --proxy-listen 127.0.0.1:8082 --ui-domain caido.example.com --debug --no-renderer-sandbox --no-openDocker
The following Docker compose file runs two services: the Caido CLI and Traefik.
NOTE
If Nginx/Apache is running, kill it with: sudo systemctl stop nginx/sudo systemctl stop apache
- SSH into your server.
- Install Docker with the Docker Compose plugin.
- Create a
docker-compose.ymlfile with the following content:
services:
caido:
image: caido/caido:latest
container_name: caido
ports:
- "127.0.0.1:8082:8082" # Proxy port
volumes:
- /home/user/caido/data/:/home/caido/.local/share/caido
command: >
caido-cli
--no-renderer-sandbox
--debug
--no-open
--ui-listen 0.0.0.0:8081
--ui-domain example.com
--proxy-listen 0.0.0.0:8082
#--allow-guests
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.caido.rule=Host(`example.com`)"
- "traefik.http.routers.caido.entrypoints=websecure"
- "traefik.http.routers.caido.tls.certresolver=letsencrypt"
- "traefik.http.services.caido.loadbalancer.server.port=8081"
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
ports:
- "80:80"
- "443:443"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Redirect HTTP → HTTPS
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Let's Encrypt - HTTP challenge (works with standard ports 80/443)
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencrypt.acme.email=user@example.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt- Create a data storage location for Caido:
mkdir -p /home/user/caido/data- Since the container runs as
uid=996(caido) gid=996(caido) groups=996(caido), set ownership of the host directory to match:
sudo chown -R 996:996 /home/user/caido/data- Make the directory writable:
sudo chmod 755 /home/user/caido/data- Then, run the container to launch Caido and navigate to the
--ui-domain:
docker compose upAccessing Caido
Once Caido is running, access the instance at the configured domain and authenticate into your account.
