Antonio Mika
·
25 Jan 24
Caddyfile.auth
1{
2 on_demand_tls {
3 ask http://web:3000/check
4 interval 1m
5 burst 10
6 }
7 servers {
8 metrics
9 }
10}
11
12*.{$APP_DOMAIN}, {$APP_DOMAIN} {
13 reverse_proxy web:3000
14 tls {$APP_EMAIL} {
15 dns cloudflare {$CF_API_TOKEN}
16 resolvers 1.1.1.1
17 }
18 encode zstd gzip
19
20 header {
21 # disable FLoC tracking
22 Permissions-Policy interest-cohort=()
23
24 # enable HSTS
25 Strict-Transport-Security max-age=31536000;
26
27 # disable clients from sniffing the media type
28 X-Content-Type-Options nosniff
29
30 # clickjacking protection
31 X-Frame-Options DENY
32
33 # keep referrer data off of HTTP connections
34 Referrer-Policy no-referrer-when-downgrade
35
36 Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
37
38 X-XSS-Protection "1; mode=block"
39 }
40
41 @caddymetrics {
42 host {$APP_DOMAIN}
43 path /_caddy/metrics
44 }
45
46 metrics @caddymetrics {
47 disable_openmetrics
48 }
49
50 @appmetrics {
51 host {$APP_DOMAIN}
52 path /_app/metrics
53 }
54
55 handle @appmetrics {
56 rewrite * /metrics
57 reverse_proxy ssh:9222
58 }
59}
60
61*.pico.sh, pico.sh {
62 @auth {
63 host auth.pico.sh
64 }
65
66 @irc {
67 host irc.pico.sh
68 }
69
70 @ircmetrics {
71 host irc.pico.sh
72 path /_app/metrics
73 }
74
75 @options {
76 method OPTIONS
77 }
78 respond @options 204
79
80 @caddymetrics {
81 path /_caddy/metrics
82 }
83
84 metrics @caddymetrics {
85 disable_openmetrics
86 }
87
88 reverse_proxy @auth auth-web:3000
89
90 reverse_proxy @irc https://bouncer:8080 {
91 transport http {
92 tls_insecure_skip_verify
93 }
94 }
95
96 handle @ircmetrics {
97 rewrite * /metrics
98 reverse_proxy bouncer:80
99 }
100
101 tls {$APP_EMAIL} {
102 dns cloudflare {$CF_API_TOKEN}
103 resolvers 1.1.1.1
104 }
105 encode zstd gzip
106
107 header {
108 # disable FLoC tracking
109 Permissions-Policy interest-cohort=()
110
111 # enable HSTS
112 Strict-Transport-Security max-age=31536000;
113
114 # disable clients from sniffing the media type
115 X-Content-Type-Options nosniff
116
117 # clickjacking protection
118 X-Frame-Options DENY
119
120 # keep referrer data off of HTTP connections
121 Referrer-Policy no-referrer-when-downgrade
122
123 Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
124
125 X-XSS-Protection "1; mode=block"
126
127 Access-Control-Allow-Origin "https://chat.pico.sh"
128
129 Access-Control-Allow-Headers "*"
130 }
131}
132
133:443 {
134 reverse_proxy web:3000
135 tls {$APP_EMAIL} {
136 on_demand
137 }
138 encode zstd gzip
139}