signal-works/ice
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
ice/scripts/Caddyfile
Deco Vander 3581ea219d Fix rate limiting block syntax for caddy-ratelimit plugin 
- Use proper rate_limit block syntax with key, rate, and window
- Rate 30 requests per minute for general API
- Rate 5 requests per minute for location submissions
- Should resolve 'wrong argument count' error
2025-07-03 01:00:07 -04:00

87 lines
2.4 KiB
Caddyfile
Raw Blame History

# ICE Watch Caddy Configuration
# Replace yourdomain.com with your actual domain
#
# This configuration automatically:
# - Obtains SSL certificates from Let's Encrypt
# - Redirects HTTP to HTTPS
# - Serves on ports 80 and 443
# Main site configuration
yourdomain.com {
# Automatic HTTPS (default behavior)
# Caddy automatically:
# - Listens on :80 and :443
# - Redirects HTTP to HTTPS
# - Gets SSL cert from Let's Encrypt
# Reverse proxy to Node.js app
reverse_proxy localhost:3000 {
# Health check
health_uri /api/locations
health_interval 30s
health_timeout 5s
}
# Security headers for ICE Watch
header {
# Enable HSTS (force HTTPS for 1 year)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Prevent clickjacking
X-Frame-Options DENY
# Prevent content type sniffing
X-Content-Type-Options nosniff
# XSS protection
X-XSS-Protection "1; mode=block"
# Referrer policy
Referrer-Policy strict-origin-when-cross-origin
# Content Security Policy
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' unpkg.com api.mapbox.com; style-src 'self' 'unsafe-inline' unpkg.com; img-src 'self' data: *.tile.openstreetmap.org; connect-src 'self' api.mapbox.com nominatim.openstreetmap.org"
}
# Gzip compression
encode gzip zstd
# Logging for monitoring
log {
output file /var/log/caddy/icewatch.log {
roll_size 100MB
roll_keep 5
}
format json
}
# Rate limiting for API endpoints (requires caddy-ratelimit plugin)
# General API rate limiting: 30 requests per minute
@api path /api/*
rate_limit @api {
key {remote_host}
rate 30
window 1m
}
# Submission rate limiting: 5 requests per minute
@submit {
path /api/locations
method POST
}
rate_limit @submit {
key {remote_host}
rate 5
window 1m
}
}
# Redirect www to non-www (with HTTPS)
www.yourdomain.com {
redir https://yourdomain.com{uri} permanent
}
# HTTP redirect (explicit, though Caddy does this automatically)
# This is just for clarity
http://yourdomain.com {
redir https://yourdomain.com{uri} permanent
}
http://www.yourdomain.com {
redir https://yourdomain.com{uri} permanent
}
Reference in a new issue View git blame Copy permalink