-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathCaddyfile
More file actions
85 lines (79 loc) · 2.8 KB
/
Copy pathCaddyfile
File metadata and controls
85 lines (79 loc) · 2.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# nebula-mgmt — opinionated Caddy reverse-proxy snippet.
#
# Drop this into /etc/caddy/Caddyfile (or include from your existing
# Caddyfile) and replace `mgmt.example.com`. Caddy will automatically
# obtain and renew a Let's Encrypt certificate.
#
# Reload after editing:
# sudo systemctl reload caddy
#
# In server.yml, set `rate_limit.trust_proxy_header: true` so the
# management server's rate limiter keys on the real client IP instead
# of Caddy's loopback.
mgmt.example.com {
encode gzip
# Security headers.
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "no-referrer"
}
# SSE endpoint — disable buffering so /ui/events streams immediately.
@sse path /ui/events
reverse_proxy @sse 127.0.0.1:8080 {
flush_interval -1
transport http {
read_timeout 24h
write_timeout 24h
}
}
# Everything else — straight reverse proxy. Caddy auto-fills X-Forwarded-*
# headers; nothing extra to configure for the rate limiter to see the
# real client IP.
reverse_proxy 127.0.0.1:8080
# ------------------------------------------------------------------
# Optional: mTLS on the UI only (issue #69).
#
# Require a client certificate from any browser hitting /ui/ or /,
# while leaving /api/ (admin API + agent endpoints) and the
# operations endpoints (/healthz, /readyz, /metrics, /debug/)
# reachable without one. Agents and Prometheus rarely speak mTLS.
#
# To enable:
# 1. Drop the operator-CA bundle into /etc/caddy/ui-clients-ca.pem.
# 2. Uncomment the tls block and the @ui matcher below.
# 3. systemctl reload caddy
#
# tls {
# client_auth {
# mode require_and_verify
# trusted_ca_cert_file /etc/caddy/ui-clients-ca.pem
# }
# }
# @ui {
# path /ui/* /
# }
# # Caddy applies the listener-level client_auth above to every
# # request; to keep /api, /healthz, /readyz, /metrics, /debug
# # client-cert-free, prefer the second-listener / second-site
# # approach below.
}
# Alternative: a second site (different hostname) that fronts the
# Web UI with mTLS, while the public hostname above keeps the API and
# ops endpoints anonymous. Browsers visit https://ui.mgmt.example.com,
# agents and Prometheus visit https://mgmt.example.com.
#
# ui.mgmt.example.com {
# tls {
# client_auth {
# mode require_and_verify
# trusted_ca_cert_file /etc/caddy/ui-clients-ca.pem
# }
# }
# @api path /api/* /healthz /readyz /metrics /debug/*
# handle @api {
# respond 404
# }
# reverse_proxy 127.0.0.1:8080
# }