Updates exempes/caddy2/Caddyfile to SSL Grade A+

This commit is contained in:
0hlov3 2020-09-13 03:11:37 +02:00
parent 7e78639aad
commit c366e26360

View file

@ -27,13 +27,17 @@ matrix.DOMAIN.tld {
} }
header { header {
Access-Control-Allow-Origin * # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "mag=age=31536000;" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Frame-Options "DENY" # Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
167,9 79% 167,9 79%
Strict-Transport-Security "mag=age=31536000;"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
} }
# Cache # Cache
@ -78,23 +82,36 @@ matrix.DOMAIN.tld {
} }
} }
:8448 { matrix.DOMAIN.tld:8448 {
handle { handle {
encode zstd gzip encode zstd gzip
reverse_proxy localhost:8448 { reverse_proxy 127.0.0.1:8048 {
header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto} header_up X-Forwarded-HttpsProto {proto}
} }
} }
} }
dimension.DOMAIN.tld { dimension.DOMAIN.tld {
tls {$CADDY_TLS} tls {$CADDY_TLS}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle { handle {
encode zstd gzip encode zstd gzip
@ -111,7 +128,20 @@ dimension.DOMAIN.tld {
element.DOMAIN.tld { element.DOMAIN.tld {
tls {$CADDY_TLS} tls {$CADDY_TLS}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle { handle {
encode zstd gzip encode zstd gzip