105 lines
3.1 KiB
Caddyfile
105 lines
3.1 KiB
Caddyfile
# Template: Caddyfile.override
|
|
# Purpose: Default configuration for custom containers.
|
|
# Description:
|
|
# - Serves static files from /srv.
|
|
# - Provides a /health endpoint for health checks.
|
|
# - Designed to run behind a reverse proxy like Træfik, listening only on port 80.
|
|
# - comes with security headers
|
|
|
|
:80 {
|
|
# Health check endpoint
|
|
respond /health "OK" 200
|
|
|
|
# Enable compression for text-based resources
|
|
encode gzip zstd
|
|
|
|
# MIME type overrides for HLS streaming
|
|
@m3u8Files {
|
|
path *.m3u8
|
|
}
|
|
@tsFiles {
|
|
path *.ts
|
|
}
|
|
header @m3u8Files Content-Type "application/vnd.apple.mpegurl"
|
|
header @tsFiles Content-Type "video/MP2T"
|
|
|
|
# Security headers
|
|
header {
|
|
# Cross-Origin headers
|
|
Cross-Origin-Embedder-Policy "require-corp"
|
|
Cross-Origin-Opener-Policy "same-origin"
|
|
Cross-Origin-Resource-Policy "same-origin"
|
|
|
|
# Permissions Policy
|
|
Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
|
|
|
|
# Referrer Policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# HSTS
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# Content Type Options
|
|
X-Content-Type-Options "nosniff"
|
|
|
|
# XSS Protection
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# Frame Options (prevents clickjacking)
|
|
X-Frame-Options "SAMEORIGIN"
|
|
|
|
# Update CSP to allow media content, scripts, and blob URLs with hashes
|
|
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' https: data: blob:; media-src 'self' blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; worker-src 'self' blob:"
|
|
|
|
# Remove Server header
|
|
-Server
|
|
}
|
|
|
|
# Cache control for static assets - images, fonts, etc.
|
|
@staticAssets {
|
|
path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot
|
|
method GET HEAD
|
|
}
|
|
header @staticAssets Cache-Control "public, max-age=31536000, immutable"
|
|
header @staticAssets ?Access-Control-Allow-Origin *
|
|
|
|
# Special handling for CSS and JS files
|
|
@cssAndJs {
|
|
path *.css *.js
|
|
method GET HEAD
|
|
}
|
|
header @cssAndJs Cache-Control "public, max-age=31536000, immutable"
|
|
|
|
# Cache HTML files but for a shorter period
|
|
@htmlFiles {
|
|
path *.html
|
|
method GET HEAD
|
|
}
|
|
header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate"
|
|
|
|
# HLS file handling
|
|
@hlsFiles {
|
|
path *.m3u8 *.ts
|
|
method GET HEAD
|
|
}
|
|
header @hlsFiles Cache-Control "public, max-age=300"
|
|
header @hlsFiles Access-Control-Allow-Origin "*"
|
|
|
|
# Static file server
|
|
file_server {
|
|
root /srv # Root directory for serving static files
|
|
}
|
|
|
|
# Restrict allowed methods to only GET and HEAD
|
|
@staticRequests {
|
|
method GET HEAD
|
|
}
|
|
|
|
handle @staticRequests {
|
|
root * /srv
|
|
file_server
|
|
}
|
|
|
|
# Handle all other methods
|
|
respond "Method Not Allowed" 405
|
|
} |