98 lines
3.1 KiB
Caddyfile
98 lines
3.1 KiB
Caddyfile
# Caddy Configuration for Homelab
|
|
# Location: /srv/docker/caddy/Caddyfile
|
|
# Last Updated: April 29, 2026
|
|
|
|
# ============================================================================
|
|
# Kopia Web UI - HTTPS Reverse Proxy
|
|
# ============================================================================
|
|
kopia.jgitta.com {
|
|
# Reverse proxy to Kopia Web UI running on localhost:51515
|
|
reverse_proxy 127.0.0.1:51515 {
|
|
# Pass original headers for proper proxying
|
|
header_upstream X-Forwarded-Proto {scheme}
|
|
header_upstream X-Forwarded-Host {http.request.host}
|
|
header_upstream X-Forwarded-For {http.request.remote.host}
|
|
|
|
# WebSocket support (Kopia uses WebSockets for real-time updates)
|
|
header_upstream Connection {http.request.header.Connection}
|
|
header_upstream Upgrade {http.request.header.Upgrade}
|
|
|
|
# Timeout settings for backup operations (which can be slow)
|
|
timeout 300s
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
# Prevent MIME type sniffing
|
|
X-Content-Type-Options "nosniff"
|
|
|
|
# Clickjacking protection
|
|
X-Frame-Options "SAMEORIGIN"
|
|
|
|
# XSS protection
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# HTTPS enforcement (HSTS)
|
|
# max-age: 1 year, includeSubDomains: apply to subdomains
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
|
|
# Content Security Policy (basic)
|
|
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
|
|
|
|
# Referrer policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# Permissions policy
|
|
Permissions-Policy "geolocation=(), microphone=(), camera=()"
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output stdout
|
|
format json
|
|
}
|
|
|
|
# Enable TLS (automatic, self-signed for internal use)
|
|
tls internal
|
|
}
|
|
|
|
# ============================================================================
|
|
# HTTP to HTTPS Redirect
|
|
# ============================================================================
|
|
http://kopia.jgitta.com {
|
|
# Redirect all HTTP traffic to HTTPS
|
|
redir https://kopia.jgitta.com{uri} permanent
|
|
}
|
|
|
|
# ============================================================================
|
|
# Portainer - Docker Management UI on siklos
|
|
# ============================================================================
|
|
portainer.jgitta.com {
|
|
# Reverse proxy to Portainer on siklos (HTTP port — Caddy handles TLS)
|
|
reverse_proxy 192.168.88.27:9000 {
|
|
header_upstream X-Forwarded-Proto {scheme}
|
|
header_upstream X-Forwarded-Host {http.request.host}
|
|
header_upstream X-Forwarded-For {http.request.remote.host}
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
X-XSS-Protection "1; mode=block"
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
}
|
|
|
|
log {
|
|
output stdout
|
|
format json
|
|
}
|
|
|
|
tls internal
|
|
}
|
|
|
|
http://portainer.jgitta.com {
|
|
redir https://portainer.jgitta.com{uri} permanent
|
|
}
|