-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Expand file tree
/
Copy pathCaddyfile.example
More file actions
74 lines (67 loc) · 2.71 KB
/
Caddyfile.example
File metadata and controls
74 lines (67 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Caddy reverse proxy for Archon.
# Set DOMAIN=archon.example.com in .env — Caddy handles TLS via Let's Encrypt.
# For local testing, replace {$DOMAIN} with :80 or localhost.
#
# Authentication: choose one method (or none):
# Option A — Form auth (HTML login page): requires --profile auth — uncomment block A below
# Option B — Basic auth (browser popup): set CADDY_BASIC_AUTH in .env
# None (default) — no authentication required
{$DOMAIN} {
# ── Public paths — always bypass auth ─────────────────────────────────────
handle /webhooks/* {
reverse_proxy app:{$PORT:3000}
}
handle /api/health {
reverse_proxy app:{$PORT:3000}
}
# ── Option A: Form-based auth (HTML login page) ────────────────────────────
# Requires: docker compose --profile cloud --profile auth up -d
# Setup: Set AUTH_USERNAME, AUTH_PASSWORD_HASH, COOKIE_SECRET in .env
# See docs/docker.md for hash generation instructions.
# To enable: uncomment this block AND comment out the "No auth" handle block below.
#
# handle /login {
# reverse_proxy auth-service:{$AUTH_SERVICE_PORT:9000}
# }
# handle /logout {
# reverse_proxy auth-service:{$AUTH_SERVICE_PORT:9000}
# }
# handle {
# forward_auth auth-service:{$AUTH_SERVICE_PORT:9000} {
# uri /verify
# copy_headers X-Auth-User
# }
# @sse path /api/stream/*
# reverse_proxy @sse app:{$PORT:3000} {
# flush_interval -1
# }
# reverse_proxy app:{$PORT:3000}
# }
# ── Option B: Basic auth (browser popup, no extra container) ─────────────
# Generate hash: docker run caddy caddy hash-password --plaintext 'YOUR_PASSWORD'
# Then set in .env: CADDY_BASIC_AUTH=basicauth @protected { admin $$2a$$14$$<hash> }
@protected not path /webhooks/* /api/health
{$CADDY_BASIC_AUTH:}
# ── No auth (default) ─────────────────────────────────────────────────────
# Comment out this handle block when using Option A above.
handle {
@sse path /api/stream/*
reverse_proxy @sse app:{$PORT:3000} {
flush_interval -1
}
reverse_proxy app:{$PORT:3000}
}
# ── Security Headers ───────────────────────────────────────────────────────
header {
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security "max-age=31536000; includeSubDomains"
-Server
}
encode gzip zstd
log {
output stdout
format console
}
}