Mikkel Georgsen
3c09e27287
- Add Caddyfile with self-signed TLS for local development - Configure reverse_proxy to FastAPI on localhost:8000 - Add security headers (HSTS, X-Content-Type-Options, X-Frame-Options) - Enable HTTP to HTTPS redirect on port 80 - Add Caddy service to docker-compose.yml with host networking - Configure admin API on localhost:2019 for future route management
40 lines
936 B
Caddyfile
40 lines
936 B
Caddyfile
{
|
|
# Admin API for programmatic route management (future use for ISO downloads)
|
|
admin localhost:2019
|
|
|
|
# For local development, use internal CA
|
|
# In production, Caddy auto-obtains Let's Encrypt certs
|
|
}
|
|
|
|
# Development configuration (localhost)
|
|
:443 {
|
|
tls internal # Self-signed for local dev
|
|
|
|
# Reverse proxy to FastAPI
|
|
reverse_proxy localhost:8000 {
|
|
health_uri /health
|
|
health_interval 10s
|
|
health_timeout 5s
|
|
}
|
|
|
|
# Security headers (supplement FastAPI's headers)
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "DENY"
|
|
}
|
|
|
|
# Access logging
|
|
log {
|
|
output file /var/log/caddy/access.log {
|
|
roll_size 100mb
|
|
roll_keep 10
|
|
}
|
|
format json
|
|
}
|
|
}
|
|
|
|
# HTTP to HTTPS redirect
|
|
:80 {
|
|
redir https://{host}{uri} permanent
|
|
}
|