-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCaddyfile.example
More file actions
115 lines (94 loc) · 5.41 KB
/
Caddyfile.example
File metadata and controls
115 lines (94 loc) · 5.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
(common_security_headers) {
header {
-Server
-X-Powered-By
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "no-referrer"
}
}
# Backend API (FLASK)
api.<yourDomain>.de {
@not_options {
not method OPTIONS
}
# Reverse proxy to the backend docker container
reverse_proxy api:8080
@cors_preflight {
method OPTIONS
}
respond @cors_preflight 204
import common_security_headers
@from_frontend header Origin https://<yourDomain>
@from_admin header Origin https://admin.<yourDomain>
header @from_frontend {
Access-Control-Allow-Origin https://<yourDomain>
Access-Control-Allow-Methods GET,POST,OPTIONS,HEAD,PATCH,PUT,DELETE
Access-Control-Allow-Headers User-Agent,Content-Type,Authorization
Access-Control-Allow-Credentials true
Access-Control-Max-Age 86400
}
header @from_admin {
Access-Control-Allow-Origin https://admin.<yourDomain>
Access-Control-Allow-Methods GET,POST,OPTIONS,HEAD,PATCH,PUT,DELETE
Access-Control-Allow-Headers User-Agent,Content-Type,Authorization
Access-Control-Allow-Credentials true
Access-Control-Max-Age 86400
}
}
# Backend Admin
admin.<yourDomain> {
@not_options {
not method OPTIONS
}
basic_auth {
yourUsername yourSecretPassword
}
# Reverse proxy to the backend docker container
reverse_proxy admin:4001
@cors_preflight {
method OPTIONS
}
import common_security_headers
header {
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; frame-ancestors 'none'; object-src 'none'; base-uri 'none'; connect-src 'self' https://api.<yourDomain> data:;"
Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"
}
log {
output stdout
}
}
# Frontend app (React)
<yourDomain> {
root * /srv/frontend
try_files {path} /index.html
file_server
header {
-Server
-X-Powered-By
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
X-Permitted-Cross-Domain-Policies "none"
Cross-Origin-Embedder-Policy "require-corp"
Cross-Origin-Opener-Policy "same-origin"
Cross-Origin-Resource-Policy "same-origin"
Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(),unload=(self)
Content-Security-Policy "default-src 'self'; connect-src 'self' https://api.<yourDomain> wss://api.<yourDomain> data:; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; upgrade-insecure-requests; img-src 'self' data:; script-src 'self' 'unsafe-eval'"
Referrer-Policy "strict-origin-when-cross-origin"
}
}
# Documentation
docs.<yourDomain> {
root * /srv/documentation/dist
try_files {path} {path}/index.html /index.html
file_server
import common_security_headers
header {
X-Permitted-Cross-Domain-Policies "none"
Cross-Origin-Embedder-Policy "require-corp"
Cross-Origin-Opener-Policy "same-origin"
Cross-Origin-Resource-Policy "same-origin"
Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"
Content-Security-Policy "default-src 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; upgrade-insecure-requests; img-src 'self' data:; script-src 'self' 'unsafe-eval'"
}
}