infra/marketing-vps/Caddyfile: Sync mit Live-Stand
Some checks failed
Deploy Marketing-Site / Build, Test und Deploy (push) Failing after 1m11s
Some checks failed
Deploy Marketing-Site / Build, Test und Deploy (push) Failing after 1m11s
Die Repo-Version war eine 'Wunsch-Version' aus dem Brief mit Logging, Cache-Headers und Status-Page-Auth-Placeholder. Tatsaechlich produktiv laufen die schlanken Bloecke aus diesem Commit, plus ein temporaerer Basic-Auth- Schutz fuer slimcore.io (User: demo / Pass: demo, bcrypt-Hash inline) solange die Site noch im Aufbau ist. Vor Live-Schaltung: basic_auth-Block + X-Robots-Tag-Zeile entfernen, committen, 'docker exec marketing-caddy caddy reload' auf marketing-VPS.
This commit is contained in:
Pascal Oelmann
parent
cacf38dc10
commit
d14f828aa5
1 changed files with 30 additions and 88 deletions
|
|
@ -1,112 +1,54 @@
|
|||
# Marketing-VPS Caddyfile — wird auf marketing.digiformer.eu deployt
|
||||
#
|
||||
# Eine Caddy-Instanz hostet alle statischen Marken-Sites über file_server.
|
||||
# Per-Marke ein Block. Jede Marke hat ihren eigenen Verzeichnis-Tree unter /var/www/<domain>/.
|
||||
# Forgejo Actions rsync't den Astro-Build-Output dorthin.
|
||||
|
||||
{
|
||||
# globale Optionen
|
||||
email pascal.oelmann@digiformer.net
|
||||
servers {
|
||||
metrics # Prometheus-Endpoint :2019/metrics für späteres Monitoring
|
||||
}
|
||||
}
|
||||
|
||||
# — slimcore.io —
|
||||
slimcore.io, www.slimcore.io {
|
||||
root * /var/www/slimcore.io
|
||||
encode zstd gzip
|
||||
|
||||
# Common security headers as snippet
|
||||
(security_headers) {
|
||||
header {
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
X-Content-Type-Options nosniff
|
||||
Referrer-Policy strict-origin-when-cross-origin
|
||||
Permissions-Policy "interest-cohort=()"
|
||||
-Server
|
||||
}
|
||||
|
||||
# Astro generiert echte HTML-Files für jede Route, kein SPA-Fallback nötig
|
||||
# /index.html, /en/index.html, /module/index.html, /en/module/index.html, etc.
|
||||
file_server
|
||||
|
||||
# Sitemap, robots.txt, OG-Image direkt aus dem Root
|
||||
@static_root path /sitemap-*.xml /robots.txt /favicon.svg /og-default.png
|
||||
handle @static_root {
|
||||
file_server
|
||||
}
|
||||
|
||||
# Cache-Header pro Asset-Typ
|
||||
@assets path /_astro/* /fonts/*
|
||||
handle @assets {
|
||||
header Cache-Control "public, max-age=31536000, immutable"
|
||||
}
|
||||
|
||||
@html path *.html /
|
||||
handle @html {
|
||||
header Cache-Control "public, max-age=300, must-revalidate"
|
||||
}
|
||||
|
||||
# Redirects — sollten in Astro-Site selbst leben, aber als Sicherheits-Netz hier
|
||||
redir /home / permanent
|
||||
redir /index / permanent
|
||||
|
||||
log {
|
||||
output file /var/log/caddy/slimcore.io.log {
|
||||
roll_size 100MiB
|
||||
roll_keep 14
|
||||
}
|
||||
format json
|
||||
}
|
||||
}
|
||||
|
||||
# — digiformer.eu — (sobald migriert)
|
||||
slimcore.io, www.slimcore.io {
|
||||
root * /var/www/slimcore.io
|
||||
try_files {path} {path}/ /index.html
|
||||
file_server
|
||||
encode zstd gzip
|
||||
import security_headers
|
||||
|
||||
# Pre-Launch: Basic-Auth fuer die ganze Site (User: demo / Pass: demo)
|
||||
# Entfernen, sobald die Seite oeffentlich gehen soll.
|
||||
basic_auth {
|
||||
demo $2a$14$FQAC7jJWZnGJzPxNtCIkWOSrYDazfp6/bZR9oNl8IoZmOTh89wF.6
|
||||
}
|
||||
# Solange die Site nicht oeffentlich ist, soll sie auch nicht indexiert werden:
|
||||
header X-Robots-Tag "noindex, nofollow"
|
||||
}
|
||||
|
||||
digiformer.eu, www.digiformer.eu {
|
||||
root * /var/www/digiformer.eu
|
||||
encode zstd gzip
|
||||
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
try_files {path} {path}/ /index.html
|
||||
file_server
|
||||
log {
|
||||
output file /var/log/caddy/digiformer.eu.log
|
||||
}
|
||||
encode zstd gzip
|
||||
import security_headers
|
||||
}
|
||||
|
||||
# — slimsafe.io — (sobald Marketing-Site existiert)
|
||||
slimsafe.io, www.slimsafe.io {
|
||||
root * /var/www/slimsafe.io
|
||||
encode zstd gzip
|
||||
header Strict-Transport-Security "max-age=31536000"
|
||||
try_files {path} {path}/ /index.html
|
||||
file_server
|
||||
log {
|
||||
output file /var/log/caddy/slimsafe.io.log
|
||||
}
|
||||
encode zstd gzip
|
||||
import security_headers
|
||||
}
|
||||
|
||||
# — fonboard.io — (sobald Marketing-Site existiert)
|
||||
fonboard.io, www.fonboard.io {
|
||||
root * /var/www/fonboard.io
|
||||
encode zstd gzip
|
||||
header Strict-Transport-Security "max-age=31536000"
|
||||
try_files {path} {path}/ /index.html
|
||||
file_server
|
||||
log {
|
||||
output file /var/log/caddy/fonboard.io.log
|
||||
}
|
||||
encode zstd gzip
|
||||
import security_headers
|
||||
}
|
||||
|
||||
# — Status-Page (intern, basicauth-geschützt) —
|
||||
status.digiformer.eu {
|
||||
reverse_proxy 127.0.0.1:3001
|
||||
basicauth {
|
||||
# caddy hash-password generiert den bcrypt-Hash
|
||||
# echtes Passwort beim Setup setzen
|
||||
pascal $2a$14$REPLACE_WITH_BCRYPT_HASH
|
||||
}
|
||||
}
|
||||
|
||||
# Catch-all — unbekannte Hostnames bekommen 404, kein Default-Server
|
||||
# Catch-all for unknown hostnames hitting the IP directly
|
||||
:80 {
|
||||
respond "Not Found" 404
|
||||
}
|
||||
|
||||
:443 {
|
||||
respond "Not Found" 404
|
||||
respond "Not found" 404
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue