Fix caddy
This commit is contained in:
Maurice
@@ -1,63 +1,54 @@
|
||||
# https://hackviser.com/tactics/hardening/caddy
|
||||
{
|
||||
auto_https disable_redirects
|
||||
auto_https disable_redirects
|
||||
|
||||
# Do not write access logs to journald.
|
||||
log {
|
||||
exclude http.log.access
|
||||
}
|
||||
# Do not write access logs to journald.
|
||||
log {
|
||||
exclude http.log.access
|
||||
}
|
||||
|
||||
# Write access logs to the logs volume in json
|
||||
# format. Only keep logs for the last 30 days.
|
||||
log access {
|
||||
format json
|
||||
output file /data/logs/access.log {
|
||||
roll_keep_for 720h
|
||||
}
|
||||
}
|
||||
# Write access logs to the logs volume in JSON format. Only keep logs for the last 30 days.
|
||||
log access {
|
||||
format json
|
||||
output file /data/logs/access.log {
|
||||
roll_keep_for 720h
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Block with default http config that accepts requests on
|
||||
# fd/3 and redirects to https.
|
||||
# Block with default HTTP config that redirects to HTTPS
|
||||
(https-redir) {
|
||||
bind fd/3 {
|
||||
protocols h1
|
||||
}
|
||||
redir https://{host}{uri} 308
|
||||
bind *:80 # Listen on port 80 (HTTP)
|
||||
protocols h1 h2 # Enable HTTP/1 and HTTP/2
|
||||
redir https://{host}{uri} 308
|
||||
}
|
||||
|
||||
# Block with default https config that accepts requests on
|
||||
# fd/4 and fdgram/5.
|
||||
# Block with default HTTPS config that accepts requests on port 443 (HTTP/1, HTTP/2, and HTTP/3)
|
||||
(https) {
|
||||
bind fd/4 {
|
||||
protocols h1 h2
|
||||
}
|
||||
bind fdgram/5 {
|
||||
protocols h3
|
||||
}
|
||||
bind *:443 # Listen on port 443 (HTTPS)
|
||||
protocols h1 h2 h3 # Enable HTTP/1, HTTP/2, and HTTP/3 (QUIC)
|
||||
}
|
||||
|
||||
# Block with compression configuration.
|
||||
(compression) {
|
||||
encode zstd gzip
|
||||
encode zstd gzip
|
||||
}
|
||||
|
||||
# Block with headers that should be used by most
|
||||
# sites. Add HSTS and some other security headers.
|
||||
# Block with headers that should be used by most sites. Add HSTS and other security headers.
|
||||
# Remove the server header because without it caddy
|
||||
# leaks the backend server version.
|
||||
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
|
||||
# https://scotthelme.co.uk/content-security-policy-an-introduction/
|
||||
(default-headers) {
|
||||
header {
|
||||
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options sameorigin
|
||||
Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
|
||||
Referrer-Policy: same-origin
|
||||
-Server
|
||||
-X-Powered-By
|
||||
}
|
||||
header {
|
||||
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options sameorigin
|
||||
Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
|
||||
Referrer-Policy: same-origin
|
||||
-Server
|
||||
-X-Powered-By
|
||||
}
|
||||
}
|
||||
|
||||
import *.caddy
|
||||
|
||||
Reference in New Issue
Block a user