From d14f828aa5a38ee7aabf6e4005371d6904de050a Mon Sep 17 00:00:00 2001 From: Pascal Oelmann Date: Tue, 5 May 2026 02:33:19 +0200 Subject: [PATCH] infra/marketing-vps/Caddyfile: Sync mit Live-Stand Die Repo-Version war eine 'Wunsch-Version' aus dem Brief mit Logging, Cache-Headers und Status-Page-Auth-Placeholder. Tatsaechlich produktiv laufen die schlanken Bloecke aus diesem Commit, plus ein temporaerer Basic-Auth- Schutz fuer slimcore.io (User: demo / Pass: demo, bcrypt-Hash inline) solange die Site noch im Aufbau ist. Vor Live-Schaltung: basic_auth-Block + X-Robots-Tag-Zeile entfernen, committen, 'docker exec marketing-caddy caddy reload' auf marketing-VPS. --- infra/marketing-vps/Caddyfile | 118 +++++++++------------------------- 1 file changed, 30 insertions(+), 88 deletions(-) diff --git a/infra/marketing-vps/Caddyfile b/infra/marketing-vps/Caddyfile index 1072c54..6d3ee6b 100644 --- a/infra/marketing-vps/Caddyfile +++ b/infra/marketing-vps/Caddyfile @@ -1,112 +1,54 @@ -# Marketing-VPS Caddyfile — wird auf marketing.digiformer.eu deployt -# -# Eine Caddy-Instanz hostet alle statischen Marken-Sites über file_server. -# Per-Marke ein Block. Jede Marke hat ihren eigenen Verzeichnis-Tree unter /var/www//. -# Forgejo Actions rsync't den Astro-Build-Output dorthin. - -{ - # globale Optionen - email pascal.oelmann@digiformer.net - servers { - metrics # Prometheus-Endpoint :2019/metrics für späteres Monitoring - } -} - -# — slimcore.io — -slimcore.io, www.slimcore.io { - root * /var/www/slimcore.io - encode zstd gzip - +# Common security headers as snippet +(security_headers) { header { - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + Strict-Transport-Security "max-age=31536000; includeSubDomains" X-Content-Type-Options nosniff Referrer-Policy strict-origin-when-cross-origin - Permissions-Policy "interest-cohort=()" -Server } - - # Astro generiert echte HTML-Files für jede Route, kein SPA-Fallback nötig - # /index.html, /en/index.html, /module/index.html, /en/module/index.html, etc. - file_server - - # Sitemap, robots.txt, OG-Image direkt aus dem Root - @static_root path /sitemap-*.xml /robots.txt /favicon.svg /og-default.png - handle @static_root { - file_server - } - - # Cache-Header pro Asset-Typ - @assets path /_astro/* /fonts/* - handle @assets { - header Cache-Control "public, max-age=31536000, immutable" - } - - @html path *.html / - handle @html { - header Cache-Control "public, max-age=300, must-revalidate" - } - - # Redirects — sollten in Astro-Site selbst leben, aber als Sicherheits-Netz hier - redir /home / permanent - redir /index / permanent - - log { - output file /var/log/caddy/slimcore.io.log { - roll_size 100MiB - roll_keep 14 - } - format json - } } -# — digiformer.eu — (sobald migriert) +slimcore.io, www.slimcore.io { + root * /var/www/slimcore.io + try_files {path} {path}/ /index.html + file_server + encode zstd gzip + import security_headers + + # Pre-Launch: Basic-Auth fuer die ganze Site (User: demo / Pass: demo) + # Entfernen, sobald die Seite oeffentlich gehen soll. + basic_auth { + demo $2a$14$FQAC7jJWZnGJzPxNtCIkWOSrYDazfp6/bZR9oNl8IoZmOTh89wF.6 + } + # Solange die Site nicht oeffentlich ist, soll sie auch nicht indexiert werden: + header X-Robots-Tag "noindex, nofollow" +} + digiformer.eu, www.digiformer.eu { root * /var/www/digiformer.eu - encode zstd gzip - header Strict-Transport-Security "max-age=31536000; includeSubDomains" + try_files {path} {path}/ /index.html file_server - log { - output file /var/log/caddy/digiformer.eu.log - } + encode zstd gzip + import security_headers } -# — slimsafe.io — (sobald Marketing-Site existiert) slimsafe.io, www.slimsafe.io { root * /var/www/slimsafe.io - encode zstd gzip - header Strict-Transport-Security "max-age=31536000" + try_files {path} {path}/ /index.html file_server - log { - output file /var/log/caddy/slimsafe.io.log - } + encode zstd gzip + import security_headers } -# — fonboard.io — (sobald Marketing-Site existiert) fonboard.io, www.fonboard.io { root * /var/www/fonboard.io - encode zstd gzip - header Strict-Transport-Security "max-age=31536000" + try_files {path} {path}/ /index.html file_server - log { - output file /var/log/caddy/fonboard.io.log - } + encode zstd gzip + import security_headers } -# — Status-Page (intern, basicauth-geschützt) — -status.digiformer.eu { - reverse_proxy 127.0.0.1:3001 - basicauth { - # caddy hash-password generiert den bcrypt-Hash - # echtes Passwort beim Setup setzen - pascal $2a$14$REPLACE_WITH_BCRYPT_HASH - } -} - -# Catch-all — unbekannte Hostnames bekommen 404, kein Default-Server +# Catch-all for unknown hostnames hitting the IP directly :80 { - respond "Not Found" 404 -} - -:443 { - respond "Not Found" 404 + respond "Not found" 404 }