Add caddy/Caddyfile

Global settings: Sets an email address, likely for Let's Encrypt certificate notifications. Common security headers (common_security_headers): Defines a reusable block of security-related HTTP headers. Includes headers for HSTS, content type options, frame options, referrer policy, and permissions policy. Removes the default server header. Main domain (speedyweedyops.org) configuration: Imports the common security headers. Enables compression using zstd and gzip. Sets up JSON logging to stdout. Configures caching for static assets (60 days). Sets up a reverse proxy to a Varnish server, including the real IP address in headers. Git subdomain (git.speedyweedyops.org) configuration: Similar to the main domain, but proxies to a Gitea server instead. WWW subdomain redirection: Permanently redirects www.speedyweedyops.org to speedyweedyops.org. Overall, this Caddy configuration sets up a secure web server with two main services (likely a blog and a Git server), along with proper security headers, logging, caching, and compression. It also handles www subdomain redirection and uses Varnish as a caching layer for the main domain.
2024-08-29 13:57:20 +00:00 · 2024-08-29 13:57:20 +00:00 · e8b51e9a30
commit e8b51e9a30
parent bf932e9fbd
1 changed files with 71 additions and 0 deletions
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@ -0,0 +1,71 @@
+{
+    email fake@mail.com
+    # Global options
+}
+
+(common_security_headers) {
+    header {
+        # Security headers
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Permissions-Policy "geolocation=(), microphone=(), camera=()"
+        -Server  # Removes server header
+    }
+}
+
+speedyweedyops.org {
+    import common_security_headers
+
+    # Enable compression
+    encode zstd gzip
+
+    # Logging
+    log {
+        output stdout
+        format json
+    }
+
+    # Cache static assets
+    @static {
+        file
+        path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.woff2
+    }
+    header @static Cache-Control "public, max-age=5184000" # 60 days
+
+    # Reverse proxy to Varnish
+    reverse_proxy varnish:80 {
+        header_up X-Real-IP {remote}
+    }
+}
+
+git.speedyweedyops.org {
+    import common_security_headers
+
+    # Enable compression
+    encode zstd gzip
+
+    # Logging
+    log {
+        output stdout
+        format json
+    }
+
+    # Cache static assets
+    @static {
+        file
+        path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.woff2
+    }
+    header @static Cache-Control "public, max-age=5184000" # 60 days
+
+    # Reverse proxy to Varnish
+    reverse_proxy gitea:3000 {
+        header_up X-Real-IP {remote}
+    }
+}
+
+# Redirection from www subdomain to main domain
+www.speedyweedyops.org {
+    redir https://speedyweedyops.org{uri} permanent
+}