Enhance Caddyfile with explicit HTTPS and security features

- Added explicit HTTP to HTTPS redirects for clarity - Improved security headers including CSP for MapBox/OSM - Added health checks for reverse proxy - Implemented rate limiting for API protection - Added structured logging for security monitoring - Enhanced compression with gzip and zstd - Comprehensive www/non-www redirect handling - Production-ready configuration for ICE Watch
2025-07-03 00:31:41 -04:00 · 2025-07-03 00:31:41 -04:00 · 3d3eb2fd3b
commit 3d3eb2fd3b
parent c203cdcbeb
1 changed files with 65 additions and 15 deletions
--- a/scripts/Caddyfile
+++ b/scripts/Caddyfile
@ -1,14 +1,31 @@
 # ICE Watch Caddy Configuration
 # Replace yourdomain.com with your actual domain
+# 
+# This configuration automatically:
+# - Obtains SSL certificates from Let's Encrypt
+# - Redirects HTTP to HTTPS
+# - Serves on ports 80 and 443

+# Main site configuration
 yourdomain.com {
-    # Reverse proxy to Node.js app
-    reverse_proxy localhost:3000
+    # Automatic HTTPS (default behavior)
+    # Caddy automatically:
+    # - Listens on :80 and :443
+    # - Redirects HTTP to HTTPS
+    # - Gets SSL cert from Let's Encrypt
    
-    # Security headers
+    # Reverse proxy to Node.js app
+    reverse_proxy localhost:3000 {
+        # Health check
+        health_uri /api/locations
+        health_interval 30s
+        health_timeout 5s
+    }
+    
+    # Security headers for ICE Watch
    header {
-        # Enable HSTS
-        Strict-Transport-Security max-age=31536000;
+        # Enable HSTS (force HTTPS for 1 year)
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Prevent clickjacking
        X-Frame-Options DENY
        # Prevent content type sniffing
@ -17,22 +34,55 @@ yourdomain.com {
        X-XSS-Protection "1; mode=block"
        # Referrer policy
        Referrer-Policy strict-origin-when-cross-origin
+        # Content Security Policy
+        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' unpkg.com api.mapbox.com; style-src 'self' 'unsafe-inline' unpkg.com; img-src 'self' data: *.tile.openstreetmap.org; connect-src 'self' api.mapbox.com nominatim.openstreetmap.org"
    }
    
    # Gzip compression
-    encode gzip
+    encode gzip zstd
    
-    # Rate limiting (optional)
-    # rate_limit {
-    #     zone static_ip_10rs {
-    #         key {remote_host}
-    #         events 10
-    #         window 1s
-    #     }
-    # }
+    # Logging for security monitoring
+    log {
+        output file /var/log/caddy/icewatch.log {
+            roll_size 100MB
+            roll_keep 5
+        }
+        format json
+    }
+    
+    # Rate limiting for API endpoints
+    rate_limit {
+        zone api {
+            key {remote_host}
+            events 30
+            window 1m
+        }
+        zone submit {
+            key {remote_host}
+            events 5
+            window 1m
+        }
+    }
+    
+    # Apply rate limits to specific paths
+    @api path /api/*
+    rate_limit @api api
+    
+    @submit path /api/locations method POST
+    rate_limit @submit submit
 }

-# Optional: Redirect www to non-www
+# Redirect www to non-www (with HTTPS)
 www.yourdomain.com {
    redir https://yourdomain.com{uri} permanent
 }
+
+# HTTP redirect (explicit, though Caddy does this automatically)
+# This is just for clarity
+http://yourdomain.com {
+    redir https://yourdomain.com{uri} permanent
+}
+
+http://www.yourdomain.com {
+    redir https://yourdomain.com{uri} permanent
+}