signal-works/ice
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Enhance Caddyfile with explicit HTTPS and security features

Browse source 
- Added explicit HTTP to HTTPS redirects for clarity
- Improved security headers including CSP for MapBox/OSM
- Added health checks for reverse proxy
- Implemented rate limiting for API protection
- Added structured logging for security monitoring
- Enhanced compression with gzip and zstd
- Comprehensive www/non-www redirect handling
- Production-ready configuration for ICE Watch
This commit is contained in:
Deco Vander 2025-07-03 00:31:41 -04:00
parent c203cdcbeb
commit 3d3eb2fd3b
1 changed files with 65 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

80
scripts/Caddyfile
View file

@ -1,14 +1,31 @@
# ICE Watch Caddy Configuration # ICE Watch Caddy Configuration
# Replace yourdomain.com with your actual domain # Replace yourdomain.com with your actual domain
#
# This configuration automatically:
# - Obtains SSL certificates from Let's Encrypt
# - Redirects HTTP to HTTPS
# - Serves on ports 80 and 443
# Main site configuration
yourdomain.com { yourdomain.com {
# Reverse proxy to Node.js app # Automatic HTTPS (default behavior)
reverse_proxy localhost:3000 # Caddy automatically:
# - Listens on :80 and :443
# - Redirects HTTP to HTTPS
# - Gets SSL cert from Let's Encrypt
# Security headers # Reverse proxy to Node.js app
reverse_proxy localhost:3000 {
# Health check
health_uri /api/locations
health_interval 30s
health_timeout 5s
}
# Security headers for ICE Watch
header { header {
# Enable HSTS # Enable HSTS (force HTTPS for 1 year)
Strict-Transport-Security max-age=31536000; Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Prevent clickjacking # Prevent clickjacking
X-Frame-Options DENY X-Frame-Options DENY
# Prevent content type sniffing # Prevent content type sniffing
@ -17,22 +34,55 @@ yourdomain.com {
X-XSS-Protection "1; mode=block" X-XSS-Protection "1; mode=block"
# Referrer policy # Referrer policy
Referrer-Policy strict-origin-when-cross-origin Referrer-Policy strict-origin-when-cross-origin
# Content Security Policy
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' unpkg.com api.mapbox.com; style-src 'self' 'unsafe-inline' unpkg.com; img-src 'self' data: *.tile.openstreetmap.org; connect-src 'self' api.mapbox.com nominatim.openstreetmap.org"
} }
# Gzip compression # Gzip compression
encode gzip encode gzip zstd
# Rate limiting (optional) # Logging for security monitoring
# rate_limit { log {
# zone static_ip_10rs { output file /var/log/caddy/icewatch.log {
# key {remote_host} roll_size 100MB
# events 10 roll_keep 5
# window 1s }
# } format json
# } }
# Rate limiting for API endpoints
rate_limit {
zone api {
key {remote_host}
events 30
window 1m
}
zone submit {
key {remote_host}
events 5
window 1m
}
}
# Apply rate limits to specific paths
@api path /api/*
rate_limit @api api
@submit path /api/locations method POST
rate_limit @submit submit
} }
# Optional: Redirect www to non-www # Redirect www to non-www (with HTTPS)
www.yourdomain.com { www.yourdomain.com {
redir https://yourdomain.com{uri} permanent redir https://yourdomain.com{uri} permanent
} }
# HTTP redirect (explicit, though Caddy does this automatically)
# This is just for clarity
http://yourdomain.com {
redir https://yourdomain.com{uri} permanent
}
http://www.yourdomain.com {
redir https://yourdomain.com{uri} permanent
}