balrog Posted November 7, 2020 Share Posted November 7, 2020 (edited) I just want to show some examples of how I configured my caddyfile as a reverse proxy. Maybe it is helpful for someone. Basics Activate HTTP/3 (put this on the top of your Caddyfile) Source { servers * { protocol { experimental_http3 } } } Simple Reverse Proxy Source sub.domain.com { reverse_proxy 10.0.0.254:8080 } Reverse Proxy with HTTPS backend and no trusted certificate Source sub.domain.com { reverse_proxy 10.0.0.254:443 { transport http { tls_insecure_skip_verify } } } Reverse Proxy with IP-Whitelist (allowed Networks: 10.0.0.0/24 and 10.1.1.0/24) Source sub.domain.com { @internal { remote_ip 10.0.0.0/24 10.1.1.0/24 } handle @internal { reverse_proxy 10.0.0.254:8080 } respond 403 } Streaming (Plex, Jellyfin, ...) Source ... reverse_proxy 10.0.0.254:32400 { flush_interval -1 } ... Cloudflare This is only needed if you have the Cloudflare-Proxy activated (orange cloud) Requirements Caddy-Binary with dns.providers.cloudflare-Plugin (Caddy-Builder): LINK Create an API-Token on Cloudflare: LINK Cloudflare API Source sub.domain.com { tls { issuer acme { dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } } } Cloudflare API + reverse proxy sub.domain.com { tls { issuer acme { dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } } reverse_proxy 10.0.0.254:80 } Cloudflare API + reverse proxy + streaming sub.domain.com { tls { issuer acme { dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } } reverse_proxy 10.0.0.254:32400 { flush_interval -1 } } Header Security Create in the Caddyfile-Directory (/etc/caddy/) a file called "caddy_security.conf" with the following content: header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-Xss-Protection "1; mode=block" X-Content-Type-Options "nosniff" Content-Security-Policy "frame-ancestors *.opum.ch" Referrer-Policy "strict-origin-when-cross-origin" Cache-Control "public, max-age=15, must-revalidate" Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(self), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(*), speaker=(), sync-xhr=(), usb=(), vr=()" } Now import this config into the Caddyfile: sub.domain.com { import /etc/caddy/caddy_security.conf reverse_proxy 10.0.0.254:8080 } With this settings you'll get an A+ on https://securityheaders.com/ Edited March 18, 2021 by balrog Added "Header Security" 2 Quote Link to comment
MattFaz Posted October 4, 2022 Share Posted October 4, 2022 On 11/8/2020 at 4:57 AM, balrog said: Cloudflare This is only needed if you have the Cloudflare-Proxy activated (orange cloud) Requirements Caddy-Binary with dns.providers.cloudflare-Plugin (Caddy-Builder): LINK Would you be able to provide a guide on how you installed this plugin? I'm comfortable with the rest but really struggling at this step. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.