Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
chiappa
/
irdb
-ын хуулбар https://git.snix.ch/chiappa/irdb.git
1
0
Салаа 0
Файлууд Асуудлууд 0
Мод: b2ac7e2d98
Салаанууд Тагууд
irdb
/
api
/
docker
/
Caddyfile

Caddyfile 2.6 KB
Түүх Анхны өгөгдөл

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. # FrankenPHP Caddyfile for the api container.
    2. 

  2. # Serves Slim from public/ on :8081.
    3. 

  3. {
    4. 

  4.     frankenphp
    5. 

  5.     order php_server before file_server
    6. 

  6.     auto_https off
    7. 

  7.     admin off
    8. 

  8.     servers {
    9. 

  9.         trusted_proxies static private_ranges
    10. 

  10.     }
    11. 

  11. }
    12. 

  12. 

  13. :8081 {
    14. 

  14.     root * /app/public
    15. 

  15.     encode zstd gzip
    16. 

  16. 

  17.     # ── Security headers (M14) ──────────────────────────────────────────
    18. 

  18.     # Applied to every response. The api serves JSON + the OpenAPI YAML +
    19. 

  19.     # the /api/docs viewer; everything else is locked down.
    20. 

  20.     header {
    21. 

  21.         # Identify ourselves as little as possible.
    22. 

  22.         -Server
    23. 

  23.         -X-Powered-By
    24. 

  24.         X-Content-Type-Options "nosniff"
    25. 

  25.         # The api doesn't render its own pages except /api/docs which is a
    26. 

  26.         # single embedded viewer; SAMEORIGIN is the conservative default
    27. 

  27.         # that still allows future same-origin embedding.
    28. 

  28.         X-Frame-Options "SAMEORIGIN"
    29. 

  29.         Referrer-Policy "strict-origin-when-cross-origin"
    30. 

  30.         Permissions-Policy "geolocation=(), microphone=(), camera=()"
    31. 

  31.     }
    32. 

  32. 

  33.     # HSTS: prod-only. Setting it in dev would lock you out of plain-HTTP
    34. 

  34.     # localhost on the same hostname (sticky for 1 year). Gate strictly.
    35. 

  35.     @prod expression `{env.APP_ENV} == "production"`
    36. 

  36.     header @prod Strict-Transport-Security "max-age=31536000; includeSubDomains"
    37. 

  37. 

  38.     # CSP: docs viewer needs RapiDoc from jsDelivr + inline styles + the
    39. 

  39.     # try-it-now feature posting to /api/v1/*. Everything else is JSON.
    40. 

  40.     @docs path /api/docs /api/v1/openapi.yaml
    41. 

  41.     header @docs Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
    42. 

  42. 

  43.     @not_docs not path /api/docs /api/v1/openapi.yaml
    44. 

  44.     header @not_docs Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; base-uri 'none'"
    45. 

  45. 

  46.     # Internal jobs API: only callable from loopback / RFC1918.
    47. 

  47.     # The PHP layer also enforces this (InternalNetworkMiddleware) — Caddy
    48. 

  48.     # is the first line of defence for production deployments where the
    49. 

  49.     # api is reachable from the public internet.
    50. 

  50.     @internal {
    51. 

  51.         path /internal/*
    52. 

  52.         remote_ip 127.0.0.1/32 ::1/128 172.16.0.0/12 10.0.0.0/8 192.168.0.0/16
    53. 

  53.     }
    54. 

  54.     handle @internal {
    55. 

  55.         php_server
    56. 

  56.     }
    57. 

  57. 

  58.     @external_internal_blocked {
    59. 

  59.         path /internal/*
    60. 

  60.         not remote_ip 127.0.0.1/32 ::1/128 172.16.0.0/12 10.0.0.0/8 192.168.0.0/16
    61. 

  61.     }
    62. 

  62.     respond @external_internal_blocked 404
    63. 

  63. 

  64.     php_server
    65. 

  65. }
    66.