From e8b51e9a30fd25b28c00d834a153d8aeefef7226 Mon Sep 17 00:00:00 2001 From: igovnow Date: Thu, 29 Aug 2024 13:57:20 +0000 Subject: [PATCH] Add caddy/Caddyfile Global settings: Sets an email address, likely for Let's Encrypt certificate notifications. Common security headers (common_security_headers): Defines a reusable block of security-related HTTP headers. Includes headers for HSTS, content type options, frame options, referrer policy, and permissions policy. Removes the default server header. Main domain (speedyweedyops.org) configuration: Imports the common security headers. Enables compression using zstd and gzip. Sets up JSON logging to stdout. Configures caching for static assets (60 days). Sets up a reverse proxy to a Varnish server, including the real IP address in headers. Git subdomain (git.speedyweedyops.org) configuration: Similar to the main domain, but proxies to a Gitea server instead. WWW subdomain redirection: Permanently redirects www.speedyweedyops.org to speedyweedyops.org. Overall, this Caddy configuration sets up a secure web server with two main services (likely a blog and a Git server), along with proper security headers, logging, caching, and compression. It also handles www subdomain redirection and uses Varnish as a caching layer for the main domain. --- caddy/Caddyfile | 71 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 caddy/Caddyfile diff --git a/caddy/Caddyfile b/caddy/Caddyfile new file mode 100644 index 0000000..27665ce --- /dev/null +++ b/caddy/Caddyfile @@ -0,0 +1,71 @@ +{ + email fake@mail.com + # Global options +} + +(common_security_headers) { + header { + # Security headers + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + Referrer-Policy "strict-origin-when-cross-origin" + Permissions-Policy "geolocation=(), microphone=(), camera=()" + -Server # Removes server header + } +} + +speedyweedyops.org { + import common_security_headers + + # Enable compression + encode zstd gzip + + # Logging + log { + output stdout + format json + } + + # Cache static assets + @static { + file + path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.woff2 + } + header @static Cache-Control "public, max-age=5184000" # 60 days + + # Reverse proxy to Varnish + reverse_proxy varnish:80 { + header_up X-Real-IP {remote} + } +} + +git.speedyweedyops.org { + import common_security_headers + + # Enable compression + encode zstd gzip + + # Logging + log { + output stdout + format json + } + + # Cache static assets + @static { + file + path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.woff2 + } + header @static Cache-Control "public, max-age=5184000" # 60 days + + # Reverse proxy to Varnish + reverse_proxy gitea:3000 { + header_up X-Real-IP {remote} + } +} + +# Redirection from www subdomain to main domain +www.speedyweedyops.org { + redir https://speedyweedyops.org{uri} permanent +} \ No newline at end of file