henrov/nextcloud_ecosystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nextcloud_ecosystem/conf/caddy/Caddyfile
T

182 lines
3.3 KiB
Caddyfile
Raw Permalink Blame History

# Global options
{
email info@data-pro.nu
# Optional: acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
# Common security headers
(nextcloud_security_headers) {
header {
# HTTPS only: instruct browser to only access via HTTPS for 180+ days
Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
# Prevent MIME-type sniffing
X-Content-Type-Options "nosniff"
# Disallow embedding in iframes (Clickjacking)
X-Frame-Options "SAMEORIGIN"
# Search engine no-index
X-Robots-Tag "noindex, nofollow"
# Cross-domain policy restrictions
X-Permitted-Cross-Domain-Policies "none"
# Basic XSS protection (legacy)
X-XSS-Protection "1; mode=block"
# No referrer leakage
Referrer-Policy "no-referrer"
}
}
# KEYCLOAK
keycloak.data-pro.nu {
import nextcloud_security_headers
reverse_proxy keycloak:8080
log {
output file /var/log/caddy/keycloak-access.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
format json
}
tls caddy@data-pro.nu
}
# NEXTCLOUD
Nextcloud.data-pro.nu {
import nextcloud_security_headers
# Enable compression
encode zstd gzip
# Permanent redirects for CalDAV/CardDAV discovery
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# WebSocket for Janus subpath (optional)
handle_path /janus* {
reverse_proxy janus:8088
}
handle /ws {
reverse_proxy janus:8188 {
header_up Host {host}
header_up Connection upgrade
header_up Upgrade {header.Upgrade}
}
}
# Main Nextcloud reverse proxy
reverse_proxy nextcloud:80
# Access logging
log {
output file /var/log/caddy/access.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
format json
}
}
# GITLAB
gitlab.data-pro.nu {
reverse_proxy gitlab:443 {
transport http {
tls_insecure_skip_verify
}
}
}
# SIGNALING (JANUS WS fallback)
signaling.data-pro.nu {
encode gzip
reverse_proxy localhost:8090
tls info@data-pro.nu
handle_path /janus* {
reverse_proxy janus:8088
}
handle_path /ws {
reverse_proxy janus:8188 {
header_up Host {host}
header_up Connection "upgrade"
header_up Upgrade {header.Upgrade}
}
}
handle {
reverse_proxy signaling:8090
}
log {
output file /var/log/caddy/signaling-access.log
format console
}
}
# COLLABORA
collabora.data-pro.nu {
reverse_proxy collabora:9980
encode gzip
tls caddy@data-pro.nu
}
# JANUS DIRECT
janus.data-pro.nu {
reverse_proxy janus:8188
encode gzip
}
turn.data-pro.nu {
tls {
on_demand
}
respond "TURN server is running on UDP 3478 and TLS 5349" 200
}
# GITEA
gitea.data-pro.nu {
# Optional but recommended: same security header set you use elsewhere
import nextcloud_security_headers
encode zstd gzip
reverse_proxy gitea:3000
log {
output file /var/log/caddy/gitea-access.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
format json
}
tls caddy@data-pro.nu
}
# n8n
n8n.data-pro.nu {
# (Optional but nice) reuse your common security headers snippet
import nextcloud_security_headers
# (Optional) gzip/zstd
encode zstd gzip
reverse_proxy n8n:5678
}
Reference in New Issue View Git Blame Copy Permalink