103 lines
2.9 KiB
Caddyfile
103 lines
2.9 KiB
Caddyfile
# Template: Caddyfile.override
|
|
# Purpose: Default configuration for custom containers.
|
|
# Description:
|
|
# - Serves static files from /srv.
|
|
# - Provides a /health endpoint for health checks.
|
|
# - Designed to run behind a reverse proxy like Træfik, listening only on port 80.
|
|
# - comes with security headers
|
|
|
|
:80 {
|
|
# Health check endpoint
|
|
respond /health "OK" 200
|
|
|
|
# Enable compression for text-based resources
|
|
encode gzip zstd
|
|
|
|
# Allow all file types - disable mime type checking
|
|
header {
|
|
# Cross-Origin headers - allow everything
|
|
Access-Control-Allow-Origin "*"
|
|
Access-Control-Allow-Methods "GET, OPTIONS, POST"
|
|
Access-Control-Allow-Headers "*"
|
|
|
|
# Permissions Policy
|
|
Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
|
|
|
|
# Referrer Policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# HSTS
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# Content Type Options - disable for more permissive handling
|
|
# X-Content-Type-Options "nosniff"
|
|
|
|
# XSS Protection
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# Frame Options (prevents clickjacking)
|
|
X-Frame-Options "SAMEORIGIN"
|
|
|
|
# Permissive CSP that allows everything
|
|
Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
|
|
|
# Remove Server header
|
|
-Server
|
|
}
|
|
|
|
# HLS specific handling - explicit MIME types for all m3u8 and ts files
|
|
@m3u8Files {
|
|
path *.m3u8
|
|
}
|
|
@tsFiles {
|
|
path *.ts
|
|
}
|
|
header @m3u8Files {
|
|
Content-Type "application/x-mpegURL"
|
|
Access-Control-Allow-Origin "*"
|
|
}
|
|
header @tsFiles {
|
|
Content-Type "video/MP2T"
|
|
Access-Control-Allow-Origin "*"
|
|
}
|
|
|
|
# Cache control for static assets - images, fonts, etc.
|
|
@staticAssets {
|
|
path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot
|
|
method GET HEAD
|
|
}
|
|
header @staticAssets Cache-Control "public, max-age=31536000, immutable"
|
|
header @staticAssets ?Access-Control-Allow-Origin *
|
|
|
|
# Special handling for CSS and JS files
|
|
@cssAndJs {
|
|
path *.css *.js
|
|
method GET HEAD
|
|
}
|
|
header @cssAndJs Cache-Control "public, max-age=31536000, immutable"
|
|
|
|
# Cache HTML files but for a shorter period
|
|
@htmlFiles {
|
|
path *.html
|
|
method GET HEAD
|
|
}
|
|
header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate"
|
|
|
|
# Static file server
|
|
file_server {
|
|
root /srv # Root directory for serving static files
|
|
}
|
|
|
|
# Restrict allowed methods to only GET and HEAD
|
|
@staticRequests {
|
|
method GET HEAD
|
|
}
|
|
|
|
handle @staticRequests {
|
|
root * /srv
|
|
file_server
|
|
}
|
|
|
|
# Handle all other methods
|
|
respond "Method Not Allowed" 405
|
|
} |