shithub Public

Watch 1 Fork 0 Star 0

Caddyfile · 2199 bytes Raw Blame History

  
        1
        # Caddy snippet for the docs subdomain. Either include this file
      
        2
        # from the main Caddyfile (`import deploy/docs-site/Caddyfile.snippet`)
      
        3
        # or run a separate Caddy instance dedicated to docs serving.
      
        4
        #
      
        5
        # The site itself is static — built by `make docs` and synced to
      
        6
        # Spaces by `deploy/docs-site/sync-to-spaces.sh`. Caddy fetches
      
        7
        # pages from Spaces with a short TTL so a new release is visible
      
        8
        # within a minute of the sync.
      
        9
        
        10
        docs.shithub.example {
      
        11
            encode gzip zstd
      
        12
        
        13
            # Docs come from a Spaces bucket fronted by Caddy. We use the
      
        14
            # reverse_proxy so we can layer cache headers and a sane 404.
      
        15
            reverse_proxy https://shithub-docs.nyc3.digitaloceanspaces.com {
      
        16
                header_up Host {http.reverse_proxy.upstream.host}
      
        17
                header_up -X-Forwarded-Host
      
        18
                transport http {
      
        19
                    tls
      
        20
                }
      
        21
            }
      
        22
        
        23
            header {
      
        24
                # Static content; let browsers + CDN cache for 5 min and
      
        25
                # revalidate.
      
        26
                Cache-Control          "public, max-age=300, stale-while-revalidate=86400"
      
        27
                # Standard HSTS posture; assumes the apex serves HTTPS too.
      
        28
                Strict-Transport-Security "max-age=31536000; includeSubDomains"
      
        29
                # Drop the default Caddy server header.
      
        30
                -Server                ""
      
        31
                # Tighten the embed/clickjack surface.
      
        32
                X-Frame-Options        "DENY"
      
        33
                X-Content-Type-Options "nosniff"
      
        34
                Referrer-Policy        "strict-origin-when-cross-origin"
      
        35
                # Docs include code samples; no scripts beyond mdBook's own
      
        36
                # bundled ones. CSP is conservative.
      
        37
                Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'"
      
        38
            }
      
        39
        
        40
            # Surface a friendly page for missing docs.
      
        41
            handle_errors {
      
        42
                @404 expression {http.error.status_code} == 404
      
        43
                handle @404 {
      
        44
                    rewrite * /404.html
      
        45
                    file_server {
      
        46
                        root /var/lib/shithub/docs-fallback
      
        47
                    }
      
        48
                }
      
        49
            }
      
        50
        
        51
            log {
      
        52
                output file /var/log/caddy/docs-access.log {
      
        53
                    roll_size  100MiB
      
        54
                    roll_keep  10
      
        55
                }
      
        56
                format json
      
        57
            }
      
        58
        }

1	# Caddy snippet for the docs subdomain. Either include this file
2	# from the main Caddyfile (`import deploy/docs-site/Caddyfile.snippet`)
3	# or run a separate Caddy instance dedicated to docs serving.
4	#
5	# The site itself is static — built by `make docs` and synced to
6	# Spaces by `deploy/docs-site/sync-to-spaces.sh`. Caddy fetches
7	# pages from Spaces with a short TTL so a new release is visible
8	# within a minute of the sync.
9
10	docs.shithub.example {
11	encode gzip zstd
12
13	# Docs come from a Spaces bucket fronted by Caddy. We use the
14	# reverse_proxy so we can layer cache headers and a sane 404.
15	reverse_proxy https://shithub-docs.nyc3.digitaloceanspaces.com {
16	header_up Host {http.reverse_proxy.upstream.host}
17	header_up -X-Forwarded-Host
18	transport http {
19	tls
20	}
21	}
22
23	header {
24	# Static content; let browsers + CDN cache for 5 min and
25	# revalidate.
26	Cache-Control "public, max-age=300, stale-while-revalidate=86400"
27	# Standard HSTS posture; assumes the apex serves HTTPS too.
28	Strict-Transport-Security "max-age=31536000; includeSubDomains"
29	# Drop the default Caddy server header.
30	-Server ""
31	# Tighten the embed/clickjack surface.
32	X-Frame-Options "DENY"
33	X-Content-Type-Options "nosniff"
34	Referrer-Policy "strict-origin-when-cross-origin"
35	# Docs include code samples; no scripts beyond mdBook's own
36	# bundled ones. CSP is conservative.
37	Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'"
38	}
39
40	# Surface a friendly page for missing docs.
41	handle_errors {
42	@404 expression {http.error.status_code} == 404
43	handle @404 {
44	rewrite * /404.html
45	file_server {
46	root /var/lib/shithub/docs-fallback
47	}
48	}
49	}
50
51	log {
52	output file /var/log/caddy/docs-access.log {
53	roll_size 100MiB
54	roll_keep 10
55	}
56	format json
57	}
58	}