mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-14 14:32:51 +01:00
a25b8135b8
Mostly affects people who disable the integrated `matrix-nginx-proxy`.
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f
.
205 lines
6.9 KiB
Caddyfile
205 lines
6.9 KiB
Caddyfile
matrix.DOMAIN.tld {
|
|
|
|
# creates letsencrypt certificate
|
|
# tls your@email.com
|
|
|
|
@identity {
|
|
path /_matrix/identity/*
|
|
}
|
|
|
|
@noidentity {
|
|
not path /_matrix/identity/*
|
|
}
|
|
|
|
@search {
|
|
path /_matrix/client/r0/user_directory/search/*
|
|
}
|
|
|
|
@nosearch {
|
|
not path /_matrix/client/r0/user_directory/search/*
|
|
}
|
|
|
|
@static {
|
|
path /matrix/static-files/*
|
|
}
|
|
|
|
@nostatic {
|
|
not path /matrix/static-files/*
|
|
}
|
|
|
|
header {
|
|
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
X-XSS-Protection "1; mode=block"
|
|
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
X-Content-Type-Options "nosniff"
|
|
# Disallow the site to be rendered within a frame (clickjacking protection)
|
|
X-Frame-Options "DENY"
|
|
# X-Robots-Tag
|
|
X-Robots-Tag "noindex, noarchive, nofollow"
|
|
167,9 79%
|
|
}
|
|
|
|
# Cache
|
|
header @static {
|
|
# Cache
|
|
Cache-Control "public, max-age=31536000"
|
|
defer
|
|
}
|
|
|
|
# identity
|
|
handle @identity {
|
|
reverse_proxy localhost:8090 {
|
|
header_up X-Forwarded-Port {http.request.port}
|
|
header_up X-Forwarded-Proto {http.request.scheme}
|
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
header_up X-Forwarded-HttpsProto {proto}
|
|
}
|
|
}
|
|
|
|
# search
|
|
handle @search {
|
|
reverse_proxy localhost:8090 {
|
|
header_up X-Forwarded-Port {http.request.port}
|
|
header_up X-Forwarded-Proto {http.request.scheme}
|
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
header_up X-Forwarded-HttpsProto {proto}
|
|
}
|
|
}
|
|
|
|
handle {
|
|
encode zstd gzip
|
|
|
|
reverse_proxy localhost:8008 {
|
|
header_up X-Forwarded-Port {http.request.port}
|
|
header_up X-Forwarded-Proto {http.request.scheme}
|
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
header_up X-Forwarded-HttpsProto {proto}
|
|
}
|
|
}
|
|
}
|
|
|
|
matrix.DOMAIN.tld:8448 {
|
|
handle {
|
|
encode zstd gzip
|
|
|
|
reverse_proxy 127.0.0.1:8048 {
|
|
header_up X-Forwarded-Port {http.request.port}
|
|
header_up X-Forwarded-Proto {http.request.scheme}
|
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
header_up X-Forwarded-HttpsProto {proto}
|
|
}
|
|
}
|
|
}
|
|
|
|
element.DOMAIN.tld {
|
|
|
|
# creates letsencrypt certificate
|
|
# tls your@email.com
|
|
|
|
header {
|
|
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
X-XSS-Protection "1; mode=block"
|
|
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
X-Content-Type-Options "nosniff"
|
|
# Disallow the site to be rendered within a frame (clickjacking protection)
|
|
X-Frame-Options "DENY"
|
|
# X-Robots-Tag
|
|
X-Robots-Tag "noindex, noarchive, nofollow"
|
|
}
|
|
|
|
handle {
|
|
encode zstd gzip
|
|
|
|
reverse_proxy localhost:8765 {
|
|
header_up X-Forwarded-Port {http.request.port}
|
|
header_up X-Forwarded-Proto {http.request.scheme}
|
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
header_up X-Forwarded-HttpsProto {proto}
|
|
}
|
|
}
|
|
|
|
#dimension.DOMAIN.tld {
|
|
#
|
|
# # creates letsencrypt certificate
|
|
# # tls your@email.com
|
|
#
|
|
# header {
|
|
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
# X-XSS-Protection "1; mode=block"
|
|
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
# X-Content-Type-Options "nosniff"
|
|
# # Disallow the site to be rendered within a frame (clickjacking protection)
|
|
# X-Frame-Options "DENY"
|
|
# # X-Robots-Tag
|
|
# X-Robots-Tag "noindex, noarchive, nofollow"
|
|
# }
|
|
#
|
|
# handle {
|
|
# encode zstd gzip
|
|
#
|
|
# reverse_proxy localhost:8184 {
|
|
# header_up X-Forwarded-Port {http.request.port}
|
|
# header_up X-Forwarded-Proto {http.request.scheme}
|
|
# header_up X-Forwarded-TlsProto {tls_protocol}
|
|
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
# header_up X-Forwarded-HttpsProto {proto}
|
|
# }
|
|
# }
|
|
#}
|
|
|
|
|
|
#jitsi.DOMAIN.tld {
|
|
#
|
|
# creates letsencrypt certificate
|
|
# tls your@email.com
|
|
#
|
|
# header {
|
|
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
#
|
|
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
# X-XSS-Protection "1; mode=block"
|
|
#
|
|
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
# X-Content-Type-Options "nosniff"
|
|
#
|
|
# # Disallow the site to be rendered within a frame (clickjacking protection)
|
|
# X-Frame-Options "SAMEORIGIN"
|
|
#
|
|
# # Disable some features
|
|
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
|
#
|
|
# # Referer
|
|
# Referrer-Policy "no-referrer"
|
|
#
|
|
# # X-Robots-Tag
|
|
# X-Robots-Tag "none"
|
|
#
|
|
# # Remove Server header
|
|
# -Server
|
|
# }
|
|
#
|
|
# handle {
|
|
# encode zstd gzip
|
|
#
|
|
# reverse_proxy 127.0.0.1:13080 {
|
|
# header_up X-Forwarded-Port {http.request.port}
|
|
# header_up X-Forwarded-Proto {http.request.scheme}
|
|
# header_up X-Forwarded-TlsProto {tls_protocol}
|
|
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
# header_up X-Forwarded-HttpsProto {proto}
|
|
# }
|
|
# }
|
|
#}
|