Initial commit

2025-08-20 17:11:32 +02:00
commit 8c2f438749
21 changed files with 392 additions and 0 deletions
--- a/services/caddy/config/Caddyfile
+++ b/services/caddy/config/Caddyfile
@@ -0,0 +1,62 @@
+# https://hackviser.com/tactics/hardening/caddy
+{
+	auto_https disable_redirects
+
+	# Do not write access logs to journald.
+	log {
+		exclude http.log.access
+	}
+
+	# Write access logs to the logs volume in json
+	# format. Only keep logs for the last 30 days.
+	log access {
+		format json
+		output file /data/logs/access.log {
+			roll_keep_for 720h
+		}
+	}
+}
+
+# Block with default http config that accepts requests on
+# fd/3 and redirects to https.
+(https-redir) {
+	bind fd/3 {
+		protocols h1
+	}
+	redir https://{host}{uri} 308
+}
+
+# Block with default https config that accepts requests on
+# fd/4 and fdgram/5.
+(https) {
+	bind fd/4 {
+		protocols h1 h2
+	}
+	bind fdgram/5 {
+		protocols h3
+	}
+}
+
+# Block with compression configuration.
+(compression) {
+	encode zstd gzip
+}
+
+# Block with headers that should be used by most
+# sites. Add HSTS and some other security headers.
+# Remove the server header because without it caddy
+# leaks the backend server version.
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://scotthelme.co.uk/content-security-policy-an-introduction/
+(default-headers) {
+	header {
+		Strict-Transport-Security max-age=31536000; includeSubDomains; preload
+		X-Content-Type-Options nosniff
+		X-Frame-Options sameorigin
+		Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
+		Referrer-Policy: same-origin
+		-Server
+	}
+}
+
+import *.caddy