digiformer/slimcore-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra/marketing-vps/Caddyfile: Sync mit Live-Stand
Some checks failed
Deploy Marketing-Site / Build, Test und Deploy (push) Failing after 1m11s
Details

Browse source 
Die Repo-Version war eine 'Wunsch-Version' aus dem Brief mit Logging,
Cache-Headers und Status-Page-Auth-Placeholder. Tatsaechlich produktiv laufen
die schlanken Bloecke aus diesem Commit, plus ein temporaerer Basic-Auth-
Schutz fuer slimcore.io (User: demo / Pass: demo, bcrypt-Hash inline)
solange die Site noch im Aufbau ist.

Vor Live-Schaltung: basic_auth-Block + X-Robots-Tag-Zeile entfernen,
committen, 'docker exec marketing-caddy caddy reload' auf marketing-VPS.
This commit is contained in:
Pascal Oelmann 2026-05-05 02:33:19 +02:00
parent cacf38dc10
commit d14f828aa5
1 changed files with 30 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
infra/marketing-vps/Caddyfile
View file

@ -1,112 +1,54 @@
# Marketing-VPS Caddyfile — wird auf marketing.digiformer.eu deployt # Common security headers as snippet
# (security_headers) {
# Eine Caddy-Instanz hostet alle statischen Marken-Sites über file_server.
# Per-Marke ein Block. Jede Marke hat ihren eigenen Verzeichnis-Tree unter /var/www/<domain>/.
# Forgejo Actions rsync't den Astro-Build-Output dorthin.
{
# globale Optionen
email pascal.oelmann@digiformer.net
servers {
metrics # Prometheus-Endpoint :2019/metrics für späteres Monitoring
}
}
# — slimcore.io —
slimcore.io, www.slimcore.io {
root * /var/www/slimcore.io
encode zstd gzip
header { header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options nosniff X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy "interest-cohort=()"
-Server -Server
} }
# Astro generiert echte HTML-Files für jede Route, kein SPA-Fallback nötig
# /index.html, /en/index.html, /module/index.html, /en/module/index.html, etc.
file_server
# Sitemap, robots.txt, OG-Image direkt aus dem Root
@static_root path /sitemap-*.xml /robots.txt /favicon.svg /og-default.png
handle @static_root {
file_server
}
# Cache-Header pro Asset-Typ
@assets path /_astro/* /fonts/*
handle @assets {
header Cache-Control "public, max-age=31536000, immutable"
}
@html path *.html /
handle @html {
header Cache-Control "public, max-age=300, must-revalidate"
}
# Redirects — sollten in Astro-Site selbst leben, aber als Sicherheits-Netz hier
redir /home / permanent
redir /index / permanent
log {
output file /var/log/caddy/slimcore.io.log {
roll_size 100MiB
roll_keep 14
}
format json
}
} }
# — digiformer.eu — (sobald migriert) slimcore.io, www.slimcore.io {
root * /var/www/slimcore.io
try_files {path} {path}/ /index.html
file_server
encode zstd gzip
import security_headers
# Pre-Launch: Basic-Auth fuer die ganze Site (User: demo / Pass: demo)
# Entfernen, sobald die Seite oeffentlich gehen soll.
basic_auth {
demo $2a$14$FQAC7jJWZnGJzPxNtCIkWOSrYDazfp6/bZR9oNl8IoZmOTh89wF.6
}
# Solange die Site nicht oeffentlich ist, soll sie auch nicht indexiert werden:
header X-Robots-Tag "noindex, nofollow"
}
digiformer.eu, www.digiformer.eu { digiformer.eu, www.digiformer.eu {
root * /var/www/digiformer.eu root * /var/www/digiformer.eu
encode zstd gzip try_files {path} {path}/ /index.html
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
file_server file_server
log { encode zstd gzip
output file /var/log/caddy/digiformer.eu.log import security_headers
}
} }
# — slimsafe.io — (sobald Marketing-Site existiert)
slimsafe.io, www.slimsafe.io { slimsafe.io, www.slimsafe.io {
root * /var/www/slimsafe.io root * /var/www/slimsafe.io
encode zstd gzip try_files {path} {path}/ /index.html
header Strict-Transport-Security "max-age=31536000"
file_server file_server
log { encode zstd gzip
output file /var/log/caddy/slimsafe.io.log import security_headers
}
} }
# — fonboard.io — (sobald Marketing-Site existiert)
fonboard.io, www.fonboard.io { fonboard.io, www.fonboard.io {
root * /var/www/fonboard.io root * /var/www/fonboard.io
encode zstd gzip try_files {path} {path}/ /index.html
header Strict-Transport-Security "max-age=31536000"
file_server file_server
log { encode zstd gzip
output file /var/log/caddy/fonboard.io.log import security_headers
}
} }
# — Status-Page (intern, basicauth-geschützt) — # Catch-all for unknown hostnames hitting the IP directly
status.digiformer.eu {
reverse_proxy 127.0.0.1:3001
basicauth {
# caddy hash-password generiert den bcrypt-Hash
# echtes Passwort beim Setup setzen
pascal $2a$14$REPLACE_WITH_BCRYPT_HASH
}
}
# Catch-all — unbekannte Hostnames bekommen 404, kein Default-Server
:80 { :80 {
respond "Not Found" 404 respond "Not found" 404
}
:443 {
respond "Not Found" 404
} }