-
Notifications
You must be signed in to change notification settings - Fork 9
/
caddyfile
122 lines (102 loc) · 5.12 KB
/
caddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# https://caddyserver.com/docs/caddyfile
0.0.0.0:2020
errors stderr
# This directive supports https://caddyserver.com/docs/placeholders
log / stdout "[{when}] remote \"{remote}\" method \"{method}\" uri \"{uri}\" proto \"{proto}\" status {status} size {size} latency {latency} request \"{request}\" upstream \"{upstream}\" cache_status \"{cache_status}\""
# https://caddyserver.com/docs/timeouts
# Show the defaults here just to show that we have RTFD.
timeouts {
header 10s
idle 2m
read 10s
write 20s
}
# After this line, all other paths are relative to root.
root /var/www
# Render markdown files as html.
markdown /
# Process a cgi script.
cgi /hellocgi /cgi-bin/hello
# Provide custom URL that returns status 405 "Method not allowed".
# Then we can conditionally rewrite paths to this URL.
status 405 /forbidden
# All other URLs are only allowed to GET.
#
# Use https://www.htbridge.com/websec/
# to check security of public sites.
rewrite {
if {method} not GET
if_op and
to /forbidden
}
# Clone a public repo once/hour.
git github.com/jumanjihouse/docker-caddy docker-caddy
# Allow browsing in this dir.
browse /docker-caddy
# Requests to /assets actually go to caddy2 container.
proxy /assets http://192.168.254.253:2020/ {
without /assets # Trim before proxying the request upstream.
transparent
}
# Cache assets for default time period.
# https://caddyserver.com/docs/http.cache
cache {
match_path /assets
path /dev/shm
}
# Headers for all paths to demonstrate reasonable safety.
# This fixture does not use TLS, so we omit recommended headers for https.
# https://caddyserver.com/docs/header
header / {
# CSP and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
# tell the browser that it can only download content from the domains we explicitly allow
# https://scotthelme.co.uk/content-security-policy-an-introduction/
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# https://report-uri.io/home/generate
# https://csp-evaluator.withgoogle.com/
Content-Security-Policy "default-src 'self'; object-src 'none'; block-all-mixed-content; reflected-xss block;"
# Certificate Transparency is an open framework for monitoring
# and auditing the certificates issued by Certificate Authorities
# in near real-time. By requiring a CA to log all certificates
# they generate, site owners can quickly identify mis-issued
# certificates, and it becomes much easier to detect a rogue CA.
#
# https://scotthelme.co.uk/certificate-transparency-an-introduction/
# https://scotthelme.co.uk/a-new-security-header-expect-ct/
Expect-CT "max-age=0; report-uri=https://scotthelme.report-uri.io/r/default/ct/reportOnly"
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
Referrer-Policy "strict-origin-when-cross-origin"
# Don't allow the browser to render our pages inside a frame or iframe
# thus avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
X-Frame-Options "SAMEORIGIN"
# Enable the XSS filter built into most recent web browsers.
# It's usually enabled by default anyway, but this header
# re-enables the filter if it was disabled by the user.
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
X-Xss-Protection "1; mode=block"
# Prevent Google Chrome and Internet Explorer from trying
# to mime-sniff the content-type of a response away from
# the one being declared by the server.
# It reduces exposure to drive-by downloads and the risks
# of user uploaded content that, with clever naming,
# could be treated as a different content-type, like an executable.
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
X-Content-Type-Options "nosniff"
# Feature Policy allows a site to enable or disable browser features and APIs
# in the interest of better security and privacy.
# https://scotthelme.co.uk/a-new-security-header-feature-policy/
# https://caniuse.com/#search=feature%20policy
#
# https://github.com/WICG/feature-policy/blob/master/features.md
Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; animations 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; image-compression 'none'; legacy-image-formats 'none'; magnetometer 'none'; max-downscaling-image 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; unsized-media 'none'; usb 'none'; vertical-scroll 'none'; vr 'none'"
# Do not disclose which server we are.
-Server
}