# Template: Caddyfile.override # Purpose: Default configuration for custom containers. # Description: # - Serves static files from /srv. # - Provides a /health endpoint for health checks. # - Designed to run behind a reverse proxy like Træfik, listening only on port 80. # - comes with security headers :80 { # Health check endpoint respond /health "OK" 200 # Enable compression for text-based resources encode gzip zstd # MIME type overrides for HLS streaming @m3u8Files { path *.m3u8 } @tsFiles { path *.ts } header @m3u8Files Content-Type "application/vnd.apple.mpegurl" header @tsFiles Content-Type "video/MP2T" # Security headers header { # Cross-Origin headers Cross-Origin-Embedder-Policy "require-corp" Cross-Origin-Opener-Policy "same-origin" Cross-Origin-Resource-Policy "same-origin" # Permissions Policy Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" # Referrer Policy Referrer-Policy "strict-origin-when-cross-origin" # HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Content Type Options X-Content-Type-Options "nosniff" # XSS Protection X-XSS-Protection "1; mode=block" # Frame Options (prevents clickjacking) X-Frame-Options "SAMEORIGIN" # Update CSP to allow media content, scripts, and blob URLs with hashes Content-Security-Policy "default-src 'self'; script-src 'self' blob: 'sha256-ahmIukdQI/ax+3q3Lrjh0Nuqv1/WxkBIGp+vaji6n8w=' 'sha256-qXRIcycfl2OwZL/s1bd83TFw2OcgcMsv1efLB/P3oOs=' 'sha256-SBn8uB66KTUeApEMuYlK6vZG0XcFpXLKlsbXswTKang=' 'sha256-/nvt7GhhWJsKGTVATnlAsNH54uy+pwbcjfx9Z9CT/u0=' 'sha256-rEjWap8xDw9tc9ULmaSD7VQycQasVvSd1OUiH9xKMTM=' 'sha256-9YtzahjQAT4luPVKC0lfwKhhBxWtN3zkQm99EHsc1bk=' 'sha256-PdtHVmWDPYQUs6SFGLloIwo3P4rG5A7ACmYWE1W4Gmk=' 'sha256-ALpx63KUUcf6ky/Teq3GLd+LlD+t+TpXN+bv/1++prU=' 'sha256-llDQiboC1dyoUHsUebHmXSwCs/k0znV6kWogS1Govvs=' 'sha256-zhuCqwglnTqPZ3YumUUbXlmgy3fN4NGHmK+wQzsoQic=' 'sha256-aCakwry3g1c1frt10sPVerFht/3JKT8i7ij3Aoxtsqw=' 'sha256-WE9M5TeJ2Xj1O9eh+0bg7XLyucO5+HCMccMznmiyocw=' 'sha256-FcjCj8HX/odDguAR0bldjsSdXOQMOLnCBKvlLHMZPZI=' 'sha256-tz6nsCI6ZDRK9g0tLDGMU5j9DBRx74XOe8xqaag7D3E=' 'sha256-IsinOLsxFzlWG2kdQIgMjg7l2ebbAaMbWWNSComW7EE=' 'sha256-p92qjinn1HJIBQCKu3QBxLsdKRh4NTdjvCax1ifSpw4=' 'sha256-17JNXqVQbWEbcxlPw9O3wCCa8PEFW9lwv6rOxRzkmXI=' 'sha256-uRkRZZ6nSw2qypQ46ShF3X/DRaPwWezfixlC4pkDuwo=' 'sha256-7bYe3kxYZPs9D4vqScBDsNEjqOw+n8pUFwyFObBKIjw=' 'sha256-IQIGMyVnkPj80HHZ8/Z8ZyxRC5ZPSFiGtTKsUdDqqOs='; style-src 'self' 'sha256-BBl1Pb4QBQZyj2HmRgFr/OhuPRYwV0zoE6G+08FM5TM=' 'sha256-DPggA6+WHJsxuaWoYLnB8XoTcBjKTnq+AmEhXZ2wJfw=' 'sha256-VyDqCue31iv/ickZ+WUp5RF3wMLAGo01mUL0VdbSTc8=' 'sha256-0ZDDv9ptap3zxZW4gGFrmDP9Y5osppDLJj0gRhecFN8=' 'sha256-c9m3RGxNzIy6ShTOIsmAgY77OyuTfgYCG3B2secjHc4=' 'sha256-rweYv4ZmpQ37GLZ2aJrWCpv486xCBOtOb6ngN4dBn8s=' 'sha256-dE50whpmj5sYr02WC5zh9QQNj6tVUQz1eTMmzJh6OU8=' 'sha256-3av5Wckr9yfHOVSXT8j0+EhuI9xI0Jld43e2jilZsro='; img-src 'self' data: blob:; media-src 'self' blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; worker-src 'self' blob:" # Remove Server header -Server } # Cache control for static assets - images, fonts, etc. @staticAssets { path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot method GET HEAD } header @staticAssets Cache-Control "public, max-age=31536000, immutable" header @staticAssets ?Access-Control-Allow-Origin * # Special handling for CSS and JS files @cssAndJs { path *.css *.js method GET HEAD } header @cssAndJs Cache-Control "public, max-age=31536000, immutable" # Cache HTML files but for a shorter period @htmlFiles { path *.html method GET HEAD } header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate" # HLS file handling @hlsFiles { path *.m3u8 *.ts method GET HEAD } header @hlsFiles Cache-Control "public, max-age=300" header @hlsFiles Access-Control-Allow-Origin "*" # Static file server file_server { root /srv # Root directory for serving static files } # Restrict allowed methods to only GET and HEAD @staticRequests { method GET HEAD } handle @staticRequests { root * /srv file_server } # Handle all other methods respond "Method Not Allowed" 405 }