-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCaddyfile.letsencrypt.example
More file actions
62 lines (57 loc) · 2.33 KB
/
Copy pathCaddyfile.letsencrypt.example
File metadata and controls
62 lines (57 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Caddy config - automatic Let's Encrypt TLS.
#
# Use this flavor when:
# - The public domain resolves to this host's public IP
# - Ports 80 and 443 are reachable from the internet (LE uses
# the HTTP-01 challenge over port 80 to validate the domain)
#
# Copy this file to `Caddyfile`, edit the two TODOs below, then
# bring the stack up. Caddy will provision the cert on first start
# and renew it automatically; cert state persists in the `caddy-data`
# docker volume across restarts.
#
# If the domain is not publicly reachable (private DNS, air-gapped,
# behind a corporate proxy), use Caddyfile.byo.example instead.
{
# Disable the admin API (localhost:2019). This stack drives caddy
# entirely from this static Caddyfile and never uses the runtime
# admin API, so turning it off removes a full-reconfiguration
# endpoint from the container's attack surface. Reloads still work
# via `docker compose restart caddy` (a container restart re-reads
# the Caddyfile); only the in-place `caddy reload` is unavailable.
admin off
# Contact address Let's Encrypt sends expiry warnings to if a
# renewal fails within ~3 weeks of expiry.
# TODO: replace with a monitored mailbox.
email admin@example.com
}
# TODO: replace example.com with the public domain. Must match
# `ui_origin` and `callback_base_url` in config.toml. No domain of
# your own? Use `<dashed-public-ip>.nip.io` (e.g.
# `203-0-113-45.nip.io`) - nip.io resolves any dashed-IP subdomain
# to that IP, and Let's Encrypt issues against it.
example.com {
encode gzip zstd
# API + health endpoints. The gateway terminates its own TLS
# with a self-signed cert on the docker bridge; the connection
# never leaves the host, and the gateway cert's SAN is bound to
# the bridge hostname `gateway` (no public CA could issue for it
# anyway), so skipping verification is safe here.
@api path /api/* /healthz
handle @api {
reverse_proxy https://gateway:8000 {
transport http {
tls
tls_insecure_skip_verify
}
}
}
# Static SPA. try_files {path} /index.html is the SPA fallback
# so deep-link hard refreshes serve index.html and client-side
# routing takes over.
handle {
root * /srv/ui
try_files {path} /index.html
file_server
}
}