# Caddy Configuration for Homelab # Location: /srv/docker/caddy/Caddyfile # Last Updated: April 27, 2026 # ============================================================================ # Kopia Web UI - HTTPS Reverse Proxy # ============================================================================ kopia.jgitta.com { # Reverse proxy to Kopia Web UI running on localhost:51515 reverse_proxy 127.0.0.1:51515 { # Pass original headers for proper proxying header_upstream X-Forwarded-Proto {scheme} header_upstream X-Forwarded-Host {http.request.host} header_upstream X-Forwarded-For {http.request.remote.host} # WebSocket support (Kopia uses WebSockets for real-time updates) header_upstream Connection {http.request.header.Connection} header_upstream Upgrade {http.request.header.Upgrade} # Timeout settings for backup operations (which can be slow) timeout 300s } # Security headers header { # Prevent MIME type sniffing X-Content-Type-Options "nosniff" # Clickjacking protection X-Frame-Options "SAMEORIGIN" # XSS protection X-XSS-Protection "1; mode=block" # HTTPS enforcement (HSTS) # max-age: 1 year, includeSubDomains: apply to subdomains Strict-Transport-Security "max-age=31536000; includeSubDomains" # Content Security Policy (basic) Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" # Referrer policy Referrer-Policy "strict-origin-when-cross-origin" # Permissions policy Permissions-Policy "geolocation=(), microphone=(), camera=()" } # Logging log { output stdout format json } # Enable TLS (automatic, self-signed for internal use) tls internal } # ============================================================================ # HTTP to HTTPS Redirect # ============================================================================ http://kopia.jgitta.com { # Redirect all HTTP traffic to HTTPS redir https://kopia.jgitta.com{uri} permanent }