-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathCaddyfile
More file actions
80 lines (73 loc) · 2.48 KB
/
Caddyfile
File metadata and controls
80 lines (73 loc) · 2.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
email {$EMAIL}
}
{$APP_DOMAIN} {
encode gzip zstd
log {
output file /data/access.log
}
# --- API ---
handle /api/v1/* {
header {
-Server
-X-Powered-By
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=()"
X-Frame-Options "SAMEORIGIN"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Content-Security-Policy "default-src 'none'; base-uri 'none'; object-src 'none'; frame-ancestors 'none'; form-action 'none';"
}
reverse_proxy server:3001
}
# --- pgAdmin (только для администрирования) ---
handle /pgadmin* {
# Базовая аутентификация для дополнительной защиты
basicauth {
admin {$ADMIN_PASSWORD_HASH}
}
header {
-Server
-X-Powered-By
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
X-Frame-Options "SAMEORIGIN"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Запрет индексации поисковиками
X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"
}
reverse_proxy pgadmin:80 {
header_up X-Script-Name /pgadmin
header_up X-Forwarded-Prefix /pgadmin
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
}
}
# --- Статические ресурсы (прямая отдача) ---
handle /assets/* {
header {
-Server
-X-Powered-By
Cache-Control "public, max-age=31536000, immutable"
X-Content-Type-Options "nosniff"
}
root * /var/www/static
uri strip_prefix /assets
file_server
}
# --- Клиент ---
handle {
header {
-Server
-X-Powered-By
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=()"
X-Frame-Options "SAMEORIGIN"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; img-src 'self' data: blob: https:; font-src 'self' data:; media-src 'self' blob:; worker-src 'self' blob:; manifest-src 'self'; connect-src 'self' https://{$APP_DOMAIN} wss://{$APP_DOMAIN}; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';"
}
reverse_proxy client:3000
}
}