-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathCaddyfile
140 lines (118 loc) · 4.48 KB
/
Caddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
import /home/alexwlchan/repos/books.alexwlchan.net/Caddyfile
import /home/alexwlchan/repos/analytics.alexwlchan.net/Caddyfile
alexwlchan.net {
import caddy/redirects.Caddyfile
import caddy/gone.Caddyfile
# Enable compression for responses
encode zstd gzip
# I can set long-lived caches on all these static assets because I treat
# most files as immutable by filename -- if I modify a file, I'll upload a new
# file with a different name, so it won't be a cache hit.
#
# The one exception is CSS files, but I cache-bust those by passing a query parameter
# that includes the hash of my CSS source.
@cached {
path /c/* /favicons/* /files/* /headers/* /images/* /static/* /theme/*
}
header @cached {
Cache-Control "public, max-age=31536000"
}
# Add some security headers.
# I test my security headers with https://securityheaders.com/
header {
# https://scotthelme.co.uk/hardening-your-http-response-headers/#content-security-policy
Content-Security-Policy "default-src 'self' 'unsafe-inline' https://youtube-nocookie.com https://www.youtube-nocookie.com; script-src 'self' 'unsafe-inline'; connect-src https://analytics.alexwlchan.net; img-src 'self' 'unsafe-inline' data:"
# https://scotthelme.co.uk/a-new-security-header-feature-policy/
# https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), vibrate=(), payment=()"
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
Referrer-Policy "no-referrer-when-downgrade"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#strict-transport-security
Strict-Transport-Security "max-age=31536000; includeSubDomains"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
X-Content-Type-Options "nosniff"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
X-Frame-Options "ALLOWALL"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
X-Xss-Protection "1; mode=block"
}
# If somebody gets a 4xx error, respond with my custom error pages.
handle_errors 404 {
root * /home/alexwlchan/repos/alexwlchan.net/_site
rewrite * 404/index.html
file_server
}
handle_errors 410 {
root * /home/alexwlchan/repos/alexwlchan.net/_site
rewrite * 410/index.html
file_server
}
# If somebody is trying to look for PHP pages on my site, and WordPress
# pages in particular, they probably have nefarious goals.
#
# This is mostly automated bots -- serve them my minimal 400 Bad Request
# error rather than the complete 404 Not Found page.
@spam {
path /.env /index.php /xmlrpc.php /wp-* /blog/wp-* /cms/wp-* /shop/wp-* /site/wp-* /test/wp-* /wordpress/wp-* /wp/wp-* /wp2/wp-* /zb_system/*
}
handle @spam {
respond "400 Bad Request" 400
}
# This is a mini-site that was built separately and I've just uploaded
# the HTML files to my web server.
#
# Eventually I'd like to fold this into the main site build, but
# I'm not there yet.
#
# See https://github.com/alexwlchan/ideas-for-inclusive-events/issues/9
handle /ideas-for-inclusive-events/* {
root * /home/alexwlchan/repos/ideas-for-inclusive-events
file_server
}
# Run a static file server for anything not yet handled
root * /home/alexwlchan/repos/alexwlchan.net/_site
file_server
log {
output file /var/log/caddy/alexwlchan.log
# This removes personally identifiable information (PII) from the logs,
# in particular:
#
# - IP addresses
# - User-Agents
#
# They're not useful to me so I might as well discard them.
format filter {
wrap json
fields {
request>remote_ip delete
request>remote_port delete
request>client_ip delete
request>headers>User-Agent delete
}
}
}
}
# This redirects my other domain names to my primary domain name,
# to avoid diluting traffic between them.
alexwlchan.com, www.alexwlchan.com, alexwlchan.co.uk, www.alexwlchan.co.uk, www.alexwlchan.net {
redir https://alexwlchan.net{uri} permanent
log {
output file /var/log/caddy/alexwlchan.log
# This removes personally identifiable information (PII) from the logs,
# in particular:
#
# - IP addresses
# - User-Agents
#
# They're not useful to me so I might as well discard them.
format filter {
wrap json
fields {
request>remote_ip delete
request>remote_port delete
request>client_ip delete
request>headers>User-Agent delete
}
}
}
}