From db555833678762cde0bb9ff0a2105e5f0a9b8898 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 1 Apr 2022 10:49:37 +0200 Subject: [PATCH] caddy: use snippet for headers, format with caddy fmt --- Caddyfile | 66 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/Caddyfile b/Caddyfile index 483ac31..4b0a9e1 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,44 +1,48 @@ # global options { - # remove comment to use staging Let's Encrypt servers (for testing) - # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory + # remove comment to use staging Let's Encrypt servers (for testing) + # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory - # auto_https contact mail address, for TLS certs notifications (expiry, - # other problems with certs) - email admins@pub.solar + # auto_https contact mail address, for TLS certs notifications (expiry, + # other problems with certs) + email admins@pub.solar +} + +# security and privacy header snippet +(security_headers) { + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=63072000; + + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options DENY + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + } } # static file server miom.space { - root * /srv/miom.space - file_server + import security_headers + root * /srv/miom.space + file_server - # caddys default is no access logs at all - # comment this block out for debugging - #log { - # output file /var/log/caddy-access.log - #} + # caddys default is no access logs at all + # comment this block out for debugging + #log { + # output file /var/log/caddy-access.log + #} } # redirect www. subdomain to apex (root) domain www.miom.space { - redir https://miom.space{uri} -} - -# security and privacy headers -header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security max-age=63072000; - - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # clickjacking protection - X-Frame-Options DENY - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade + import security_headers + redir https://miom.space{uri} }