-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathCaddyfile
More file actions
60 lines (55 loc) · 2.23 KB
/
Copy pathCaddyfile
File metadata and controls
60 lines (55 loc) · 2.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Caddyfile for ethsec-voting-badge.
#
# CADDY_DOMAIN controls the site address:
# • Unset / ":80" → plain HTTP on port 80 (local dev, container testing).
# • "example.com" → Caddy auto-provisions Let's Encrypt TLS.
# • "https://x.y" → HTTPS on 443 with auto-cert.
#
# API paths (/config, /submit, /token-status, /admin, /health) are proxied
# to the api service on port 3001. Everything else is served from the
# static web bundle baked into this image at build time.
{$CADDY_DOMAIN::80} {
encode gzip zstd
# ----- API proxy -----
# Use `handle` blocks so routing is explicit, not order-dependent.
# Without them, Caddy's directive order runs `try_files` BEFORE
# `reverse_proxy` and rewrites /config → /index.html before the
# reverse_proxy matcher gets a chance to fire. Result: API paths
# silently serve the SPA (front-end gets "Unexpected token '<'"
# trying to JSON.parse HTML, and POST /submit returns 405).
@api path /health* /config* /submit* /token-status* /admin*
handle @api {
reverse_proxy api:3001 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# ----- Static web bundle (SPA fallback to index.html) -----
handle {
root * /srv/web
try_files {path} /index.html
file_server
}
# ----- Security headers -----
header {
# Clickjacking + MIME sniffing
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
# HSTS kicks in once Caddy has a real TLS cert; harmless on :80.
Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Baseline CSP — the app has no inline scripts and fetches only
# from its own origin + the Vite/wagmi RPC endpoint at runtime.
# Font loading from Google Fonts is required for Inter Tight.
Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https: wss:; img-src 'self' data:; media-src 'self'; frame-ancestors 'none'; base-uri 'self'"
# Remove Caddy's default server header
-Server
}
# ----- Log to stdout so `docker logs` sees requests -----
log {
output stdout
format console
level INFO
}
}