louis/monotrope
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab050fddd7d7dcec37ddf6fe88c8de96eb1506e3
monotrope/infra/Caddyfile
Louis Simoneau ab050fddd7 Pin image versions, add security headers, log limits, unattended upgrades 
- Pin Miniflux to 2.2.19, Gitea to 1.25 (from :latest)
- Add security headers (X-Content-Type-Options, X-Frame-Options,
  Referrer-Policy, Permissions-Policy) to all Caddy sites
- Add Docker JSON log rotation (10m x 3 files) to all containers
- Add SHA256 checksum verification for GoatCounter binary download
- Install and configure unattended-upgrades for security patches

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 08:31:41 +10:00

74 lines
1.5 KiB
Caddyfile
Raw Blame History

monotrope.au {
root * /var/www/monotrope
file_server
# Security headers
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
# Compression
encode zstd gzip
# Cache headers for static assets
@static {
path *.css *.js *.ico *.gif *.jpg *.jpeg *.png *.webp *.svg *.woff *.woff2 *.ttf *.eot
}
header @static Cache-Control "public, max-age=31536000, immutable"
# HTML and RSS — revalidate each time
@html {
path *.html / /posts/ /posts/*
}
header @html Cache-Control "public, max-age=0, must-revalidate"
}
# Redirect www to apex
www.monotrope.au {
redir https://monotrope.au{uri} permanent
}
# Miniflux RSS reader
reader.monotrope.au {
reverse_proxy localhost:8080
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
encode zstd gzip
}
# Gitea
git.monotrope.au {
reverse_proxy localhost:3000
header {
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
encode zstd gzip
}
# GoatCounter analytics
stats.monotrope.au {
reverse_proxy localhost:8081
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
encode zstd gzip
}
Reference in New Issue View Git Blame Copy Permalink