Nexus-Hosting/Caddyfile at main · The-No-Hands-company/Nexus-Hosting · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Caddyfile for NexusHosting
# Replace {$PUBLIC_DOMAIN} with your actual domain, or set the PUBLIC_DOMAIN env var.
#
# Architecture:
#   {$PUBLIC_DOMAIN}/api/*    → TypeScript API server  (port 8080)
#   {$PUBLIC_DOMAIN}/*        → Rust static proxy      (port 8090)
#
# The Rust proxy (nexus-proxy) handles all site serving.
# The TypeScript server handles auth, deploys, federation, admin.
#
# To run without the Rust proxy (TypeScript-only mode), comment out the
# site-proxy block and uncomment the all-to-8080 block below.

{$PUBLIC_DOMAIN} {
    # ── TypeScript API server ─────────────────────────────────────────────
    handle /api/* {
        reverse_proxy app:8080
    }

    # ACME challenge (Let's Encrypt HTTP-01) — TypeScript handles this
    handle /.well-known/* {
        reverse_proxy app:8080
    }

    # Dashboard SPA — TypeScript serves the built frontend
    handle /dashboard/* {
        reverse_proxy app:8080
    }

    # Auth callbacks
    handle /callback* {
        reverse_proxy app:8080
    }

    # ── Rust static site proxy ────────────────────────────────────────────
    # All other traffic (site domains) goes to the Rust proxy.
    # The Rust proxy reads the Host header to route to the right site.
    handle {
        reverse_proxy proxy:8090
    }

    # Compression — Rust proxy handles Brotli/gzip internally,
    # but Caddy can compress the API responses
    encode gzip

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "SAMEORIGIN"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format json
    }
}

# ── TypeScript-only mode (no Rust proxy) ─────────────────────────────────────
# Uncomment this and comment out the above if you want to run without
# the Rust proxy (lower performance, easier setup):
#
# {$PUBLIC_DOMAIN} {
#     reverse_proxy app:8080
#     encode gzip
# }

# ── Optional: www redirect ────────────────────────────────────────────────────
# www.{$PUBLIC_DOMAIN} {
#     redir https://{$PUBLIC_DOMAIN}{uri} permanent
# }