ansible_management/files/192.238.204.39/Caddyfile

# Caddy's configuration file
# see: https://caddyserver.com/docs/caddyfile

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

#:80 {
#       # Set this path to your site's directory.
#       root * /usr/share/caddy
#
#       # Enable the static file server.
#       file_server
#
#       # Another common task is to set up a reverse proxy:
#       # reverse_proxy localhost:8080
#
#       # Or serve a PHP site through php-fpm:
#       # php_fastcgi localhost:9000
#}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

# 定义一个名为 (securityHeaders) 的可重用代码片段
(securityHeaders) {
	header {
		# Strict-Transport-Security (HSTS)
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

		# X-Frame-Options
		X-Frame-Options "SAMEORIGIN"

		# X-Content-Type-Options
		X-Content-Type-Options "nosniff"

		# Referrer-Policy
		Referrer-Policy "strict-origin-when-cross-origin"

		# Permissions-Policy
		Permissions-Policy "camera=(), microphone=(), geolocation=()"

		# Content-Security-Policy (CSP) - 通用起点
		Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests;"

		# 移除 Server 标识
		-Server
	}
}

# ------------------------------
# 10000h.de Services
# ------------------------------

10000h.de {
	# 设置网站根目录
	root * /srv/10000h.de

	# 开启文件服务
	file_server
	import securityHeaders
}

daed.10000h.de {
	reverse_proxy http://127.0.0.1:2023
	import securityHeaders
}

gitea.10000h.de {
	reverse_proxy http://127.0.0.1:3000
	import securityHeaders
}

lobe.10000h.de {
	reverse_proxy http://127.0.0.1:3210 {
    	transport http {
        	versions 1.1  # 👈 强制使用 HTTP/1.1 与后端通信
    	}
	}
}

duet.10000h.de {
	reverse_proxy http://127.0.0.1:3389
}

nuc.10000h.de {
	reverse_proxy http://127.0.0.1:3390
}

fndav.10000h.de {
	reverse_proxy http://127.0.0.1:5005
	# import securityHeaders
}

openlist.10000h.de {
	reverse_proxy http://127.0.0.1:5244
	# import securityHeaders
}

fnos.10000h.de {
	reverse_proxy http://127.0.0.1:5666
	# import securityHeaders
}

n8n.10000h.de {
	reverse_proxy http://127.0.0.1:5678
	# import securityHeaders
}

frps.10000h.de {
	reverse_proxy http://127.0.0.1:7001
	import securityHeaders
}

frpc.10000h.de {
	reverse_proxy http://127.0.0.1:7400
	import securityHeaders
}

tts.10000h.de {
	reverse_proxy http://127.0.0.1:8001
	import securityHeaders
}

openwrt.10000h.de {
	reverse_proxy http://127.0.0.1:8002
	import securityHeaders
}

pve.10000h.de {
	handle {
		reverse_proxy https://127.0.0.1:8006 {
			transport http {
				tls_insecure_skip_verify
			}
			header_up Host {http.reverse_proxy.host}
			header_up X-Forwarded-Host {host}
		}
		# import securityHeaders
	}
}

gotify.10000h.de {
	reverse_proxy http://127.0.0.1:8080
	import securityHeaders
}

dify.10000h.de {
	reverse_proxy http://127.0.0.1:8081
	import securityHeaders
}

kubepi.10000h.de {
	reverse_proxy http://127.0.0.1:8084
	import securityHeaders
}

ddns.10000h.de {
	reverse_proxy http://127.0.0.1:9876
	import securityHeaders
}

# ------------------------------
# k3s Services
# ------------------------------

argocd.10000h.de {
	reverse_proxy http://127.0.0.1:20080
	import securityHeaders
}

markword.10000h.de {
	reverse_proxy http://127.0.0.1:20080
	import securityHeaders
}

n8nk.10000h.de {
	reverse_proxy http://127.0.0.1:20080
	import securityHeaders
}

docker.10000h.de {
	reverse_proxy http://127.0.0.1:51000
	# import securityHeaders
}

ghcr.10000h.de {
	reverse_proxy http://127.0.0.1:52000
	import securityHeaders
}