Caddyfile

Author: webees

.env

@@ -2,7 +2,7 @@
 # If you don't have your own domain (highly recommended)
 # comment this out for first deployment, add your fly.dev domain here
 # then reset your secrets and redeploy your app (untested)
-CADDY_DOMAIN=domain.name.com
+DOMAIN_NAME=domain.name.com
 
 ###################
 # E-mail settings #

Dockerfile

@@ -7,9 +7,7 @@ ARG SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.
 
 ENV TZ="Asia/Shanghai" \
 
-    CADDY_DOMAIN= \
-    CADDY_PORT=80 \
-    GOTIFY_SERVER_PORT=8080 \
+    DOMAIN_NAME= \
 
     OVERMIND_CAN_DIE=caddy,crontab \
     OVERMIND_PROCFILE=/Procfile \
@@ -29,8 +27,8 @@ ENV TZ="Asia/Shanghai" \
 
 COPY config/crontab \
      config/Procfile \
+     config/Caddyfile \
      scripts/restic.sh \
-     scripts/caddy.sh \
      /
 
 RUN apt update && apt install -y --no-install-recommends \
@@ -65,7 +63,6 @@ RUN apt update && apt install -y --no-install-recommends \
 
         && chmod +x /usr/local/bin/supercronic \
         && chmod +x /usr/local/bin/overmind \
-        && chmod +x /restic.sh \
-        && chmod +x /caddy.sh
+        && chmod +x /restic.sh
 
 ENTRYPOINT ["overmind", "start"]

config/Caddyfile

@@ -0,0 +1,45 @@
+{
+  # HTTPS/TLS is handled by Fly or on your domain (eg: Cloudflare)
+  auto_https off
+  admin off
+  persist_config off
+
+  log {
+    output stdout
+    format console
+  }
+}
+
+{$DOMAIN_NAME}:80 {
+	encode zstd gzip
+
+	header / {
+		# Enable HTTP Strict Transport Security (HSTS)
+		Strict-Transport-Security "max-age=31536000;"
+		# Enable cross-site filter (XSS) and tell browser to block detected attacks
+		X-XSS-Protection "1; mode=block"
+		# Disallow the site to be rendered within a frame (clickjacking protection)
+		X-Frame-Options "DENY"
+		# Prevent search engines from indexing
+		X-Robots-Tag "noindex, nofollow"
+		# Disallow sniffing of X-Content-Type-Options
+		X-Content-Type-Options "nosniff"
+		# Server name removing
+		-Server
+		# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
+		-X-Powered-By
+		# Remove Last-Modified because etag is the same and is as effective
+		-Last-Modified
+  }
+
+  route /health {
+    respond "Hello, world!"
+  }
+
+  reverse_proxy localhost:8080 {
+		# Send the true remote IP to Rocket, so that vaultwarden can put this in the log
+		@cloudflare header Cf-Connecting-Ip *
+		header_up @cloudflare X-Real-IP {http.request.header.Cf-Connecting-Ip}
+		header_up !@cloudflare X-Real-IP {remote_host}
+  }
+}

config/Procfile

@@ -1,3 +1,3 @@
 gotify: cd /app && ./gotify-app
-caddy: /caddy.sh
+caddy: caddy run --config /Caddyfile
 crontab: supercronic /crontab