first add

server/caddy/Caddyfile

@@ -0,0 +1,54 @@
+{
+    email {env.ACME_EMAIL}
+    # 如果你想强制使用 Cloudflare/阿里云 DNS 验证，可在每个站点 tls 块中指定 `dns`。
+}
+
+# 主站点（HTTPS 复用 443；/ray 提供 VLESS-WS 反代）
+molecular.eu.org {
+    log {
+        output stdout
+        format console
+    }
+    # 若你需要 http->https 强制跳转，可加：
+    # redir https://<YOUR_DOMAIN>{uri} permanent
+
+    encode zstd gzip
+
+    @vless_ws path /ray /ray/*
+    handle @vless_ws {
+        reverse_proxy v2ray:10000 {
+            header_up -Origin
+        }
+    }
+
+    # VLESS gRPC over h2c at /grpc
+    @vless_grpc path /grpc /grpc/*
+    handle @vless_grpc {
+        reverse_proxy {
+            transport http {
+                versions h2c
+            }
+            to v2ray:10001
+        }
+    }
+
+    # 健康检查
+    handle_path /_health* {
+        respond 200
+    }
+
+    # 静态站点或你的网站反代
+    handle {
+        root * /usr/src/www
+        file_server
+    }
+
+    # 证书：可根据你的 DNS 服务商二选一（或只保留其一）
+    tls {
+        dns cloudflare {env.CF_API_TOKEN}
+        #dns alidns {
+        #    access_key_id {env.ALIYUN_ACCESS_KEY_ID}
+        #    access_key_secret {env.ALIYUN_ACCESS_KEY_SECRET}
+        #}
+    }
+}

server/caddy/env/caddy.env

@@ -0,0 +1,10 @@
+# ===== Caddy / ACME / DNS (Cloudflare) =====
+# 用于在 Let's Encrypt/ZeroSSL 注册证书的邮箱
+ACME_EMAIL=pylyzeng@gmail.com
+
+# 你的站点域名（当前 Caddyfile 已直接写死为 molecular.eu.org，此变量仅作记录）
+DOMAIN=molecular.eu.org
+
+# Cloudflare API Token（至少授予：Zone:Read 与 Zone:DNS:Edit）
+# 在 Caddyfile 中通过 {env.CF_API_TOKEN} 使用
+CF_API_TOKEN=ofvUY4Wo9-VN__AMglXHf8fVM1xtBRFfGN_Bsd-C

server/caddy/env/caddy.env.example

@@ -0,0 +1,14 @@
+# ===== Caddy / ACME / DNS =====
+ACME_EMAIL=<ACME_EMAIL>
+DOMAIN=<YOUR_DOMAIN>
+
+# Cloudflare (可选其一)
+CLOUDFLARE_API_TOKEN=<CLOUDFLARE_API_TOKEN>
+CF_API_TOKEN=<CLOUDFLARE_API_TOKEN>
+
+# 阿里云 (可选其一)
+ALIYUN_ACCESS_KEY_ID=<ALIYUN_ACCESS_KEY_ID>
+ALIYUN_ACCESS_KEY_SECRET=<ALIYUN_ACCESS_KEY_SECRET>
+
+# (L4 模式可选) 指定需要直达 L4 转发的 SNI
+DERPER_HOST=<DERPER_HOSTNAME>

server/caddy/l4.json

@@ -0,0 +1,73 @@
+{
+  "apps": {
+    "layer4": {
+      "servers": {
+        "tcp80": {
+          "listen": [
+            "tcp/:80"
+          ],
+          "routes": [
+            {
+              "handle": [
+                {
+                  "handler": "proxy",
+                  "upstreams": [
+                    {
+                      "dial": [
+                        "caddy-http:80"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "tcp443": {
+          "listen": [
+            "tcp/:443"
+          ],
+          "routes": [
+            {
+              "match": [
+                {
+                  "tls": {
+                    "sni": [
+                      "<DERPER_HOSTNAME>"
+                    ]
+                  }
+                }
+              ],
+              "handle": [
+                {
+                  "handler": "proxy",
+                  "upstreams": [
+                    {
+                      "dial": [
+                        "derper:443"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "handle": [
+                {
+                  "handler": "proxy",
+                  "upstreams": [
+                    {
+                      "dial": [
+                        "caddy-http:8443"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  }
+}

server/caddy/site/index.html

@@ -0,0 +1,3 @@
+<!doctype html>
+<html><head><meta charset="utf-8"><title>OK</title></head>
+<body><h1>It works.</h1><p>HTTPS is up. VLESS-WS is on <code>/ray</code>.</p></body></html>