105 lines
4.6 KiB
Caddyfile
105 lines
4.6 KiB
Caddyfile
# Template: Caddyfile.override
|
|
# Purpose: Default configuration for custom containers.
|
|
# Description:
|
|
# - Serves static files from /srv.
|
|
# - Provides a /health endpoint for health checks.
|
|
# - Designed to run behind a reverse proxy like Træfik, listening only on port 80.
|
|
# - comes with security headers
|
|
|
|
:80 {
|
|
# Health check endpoint
|
|
respond /health "OK" 200
|
|
|
|
# Enable compression for text-based resources
|
|
encode gzip zstd
|
|
|
|
# MIME type overrides for HLS streaming
|
|
@m3u8Files {
|
|
path *.m3u8
|
|
}
|
|
@tsFiles {
|
|
path *.ts
|
|
}
|
|
header @m3u8Files Content-Type "application/vnd.apple.mpegurl"
|
|
header @tsFiles Content-Type "video/MP2T"
|
|
|
|
# Security headers
|
|
header {
|
|
# Cross-Origin headers
|
|
Cross-Origin-Embedder-Policy "require-corp"
|
|
Cross-Origin-Opener-Policy "same-origin"
|
|
Cross-Origin-Resource-Policy "same-origin"
|
|
|
|
# Permissions Policy
|
|
Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
|
|
|
|
# Referrer Policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# HSTS
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# Content Type Options
|
|
X-Content-Type-Options "nosniff"
|
|
|
|
# XSS Protection
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# Frame Options (prevents clickjacking)
|
|
X-Frame-Options "SAMEORIGIN"
|
|
|
|
# Update CSP to allow media content, scripts, and blob URLs with hashes
|
|
Content-Security-Policy "default-src 'self'; script-src 'self' blob: 'sha256-ahmIukdQI/ax+3q3Lrjh0Nuqv1/WxkBIGp+vaji6n8w=' 'sha256-qXRIcycfl2OwZL/s1bd83TFw2OcgcMsv1efLB/P3oOs=' 'sha256-SBn8uB66KTUeApEMuYlK6vZG0XcFpXLKlsbXswTKang=' 'sha256-/nvt7GhhWJsKGTVATnlAsNH54uy+pwbcjfx9Z9CT/u0=' 'sha256-rEjWap8xDw9tc9ULmaSD7VQycQasVvSd1OUiH9xKMTM=' 'sha256-9YtzahjQAT4luPVKC0lfwKhhBxWtN3zkQm99EHsc1bk=' 'sha256-PdtHVmWDPYQUs6SFGLloIwo3P4rG5A7ACmYWE1W4Gmk=' 'sha256-ALpx63KUUcf6ky/Teq3GLd+LlD+t+TpXN+bv/1++prU=' 'sha256-llDQiboC1dyoUHsUebHmXSwCs/k0znV6kWogS1Govvs=' 'sha256-zhuCqwglnTqPZ3YumUUbXlmgy3fN4NGHmK+wQzsoQic=' 'sha256-aCakwry3g1c1frt10sPVerFht/3JKT8i7ij3Aoxtsqw=' 'sha256-WE9M5TeJ2Xj1O9eh+0bg7XLyucO5+HCMccMznmiyocw=' 'sha256-FcjCj8HX/odDguAR0bldjsSdXOQMOLnCBKvlLHMZPZI=' 'sha256-tz6nsCI6ZDRK9g0tLDGMU5j9DBRx74XOe8xqaag7D3E=' 'sha256-IsinOLsxFzlWG2kdQIgMjg7l2ebbAaMbWWNSComW7EE=' 'sha256-p92qjinn1HJIBQCKu3QBxLsdKRh4NTdjvCax1ifSpw4=' 'sha256-17JNXqVQbWEbcxlPw9O3wCCa8PEFW9lwv6rOxRzkmXI=' 'sha256-uRkRZZ6nSw2qypQ46ShF3X/DRaPwWezfixlC4pkDuwo=' 'sha256-7bYe3kxYZPs9D4vqScBDsNEjqOw+n8pUFwyFObBKIjw=' 'sha256-IQIGMyVnkPj80HHZ8/Z8ZyxRC5ZPSFiGtTKsUdDqqOs='; style-src 'self' 'sha256-BBl1Pb4QBQZyj2HmRgFr/OhuPRYwV0zoE6G+08FM5TM=' 'sha256-DPggA6+WHJsxuaWoYLnB8XoTcBjKTnq+AmEhXZ2wJfw=' 'sha256-VyDqCue31iv/ickZ+WUp5RF3wMLAGo01mUL0VdbSTc8=' 'sha256-0ZDDv9ptap3zxZW4gGFrmDP9Y5osppDLJj0gRhecFN8=' 'sha256-c9m3RGxNzIy6ShTOIsmAgY77OyuTfgYCG3B2secjHc4=' 'sha256-rweYv4ZmpQ37GLZ2aJrWCpv486xCBOtOb6ngN4dBn8s=' 'sha256-dE50whpmj5sYr02WC5zh9QQNj6tVUQz1eTMmzJh6OU8=' 'sha256-3av5Wckr9yfHOVSXT8j0+EhuI9xI0Jld43e2jilZsro='; img-src 'self' data: blob:; media-src 'self' blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; worker-src 'self' blob:"
|
|
|
|
# Remove Server header
|
|
-Server
|
|
}
|
|
|
|
# Cache control for static assets - images, fonts, etc.
|
|
@staticAssets {
|
|
path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot
|
|
method GET HEAD
|
|
}
|
|
header @staticAssets Cache-Control "public, max-age=31536000, immutable"
|
|
header @staticAssets ?Access-Control-Allow-Origin *
|
|
|
|
# Special handling for CSS and JS files
|
|
@cssAndJs {
|
|
path *.css *.js
|
|
method GET HEAD
|
|
}
|
|
header @cssAndJs Cache-Control "public, max-age=31536000, immutable"
|
|
|
|
# Cache HTML files but for a shorter period
|
|
@htmlFiles {
|
|
path *.html
|
|
method GET HEAD
|
|
}
|
|
header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate"
|
|
|
|
# HLS file handling
|
|
@hlsFiles {
|
|
path *.m3u8 *.ts
|
|
method GET HEAD
|
|
}
|
|
header @hlsFiles Cache-Control "public, max-age=300"
|
|
header @hlsFiles Access-Control-Allow-Origin "*"
|
|
|
|
# Static file server
|
|
file_server {
|
|
root /srv # Root directory for serving static files
|
|
}
|
|
|
|
# Restrict allowed methods to only GET and HEAD
|
|
@staticRequests {
|
|
method GET HEAD
|
|
}
|
|
|
|
handle @staticRequests {
|
|
root * /srv
|
|
file_server
|
|
}
|
|
|
|
# Handle all other methods
|
|
respond "Method Not Allowed" 405
|
|
} |