diff --git a/host/caddy/Caddyfile b/host/caddy/Caddyfile index 16b62aa..507210e 100644 --- a/host/caddy/Caddyfile +++ b/host/caddy/Caddyfile @@ -1,63 +1,155 @@ -# Port map (final): -# 9000 Caddy HTTP (redirect + ACME webroot) -# 9001 Caddy HTTPS -# 9010 taler-hacktivism (merchant nginx TLS) -# 9011 taler-exchange-hacktivism (exchange httpd) -# 9012 taler-bank-hacktivism (libeufin-bank) +# Internal only (not in the browser URL): +# 9010 merchant API | 9011 exchange API | 9012 bank API +# 9013 bank landing | 9014 exchange landing | 9015 merchant landing +# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh { - email info+koopa@hacktivism.ch - http_port 9000 - https_port 9001 - auto_https disable_redirects - # Caddy listens on 9001 behind VeciGate/https-proxy :443. - # Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try - # on the public host — port 9001 is not the public HTTPS entry (443 is). - # That breaks sites after first visit (especially dual-stack clients). - servers { - protocols h1 h2 - } + email info+koopa@hacktivism.ch + http_port 9000 + https_port 9001 + auto_https disable_redirects + # Caddy listens on 9001 behind VeciGate/https-proxy :443. + # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. + servers { + protocols h1 h2 + } +} + +(proxy_public) { + header_up Host {host} + header_up X-Forwarded-Host {host} + header_up X-Forwarded-Proto {scheme} + header_up X-Forwarded-Port 443 + header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" } taler.hacktivism.ch { - tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem - header Alt-Svc "clear" - reverse_proxy https://127.0.0.1:9010 { - transport http { - tls_insecure_skip_verify - } - header_up Host {host} - } + tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem + header Alt-Svc "clear" + + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9015 { + import proxy_public + } + } + + # SPA: /webui → /webui/ + redir /webui /webui/ 302 + + # Merchant API + WebUI (nginx :9010 → unix socket) + reverse_proxy https://127.0.0.1:9010 { + transport http { + tls_insecure_skip_verify + } + import proxy_public + } } exchange.hacktivism.ch { - tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem - header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9011 { - header_up Host {host} - } + tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem + header Alt-Svc "clear" + + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9014 { + import proxy_public + } + } + + reverse_proxy 127.0.0.1:9011 { + import proxy_public + } } bank.hacktivism.ch { - header Alt-Svc "clear" - handle_path /intro/* { - root * /var/www/bank-landing - file_server - } - redir /intro /intro/ 302 - redir / /intro/ 302 + header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9012 { - header_up Host {host} - } + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + + # Static terms/privacy on landing nginx :9013 + handle /terms* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + handle /privacy* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + + reverse_proxy 127.0.0.1:9012 { + import proxy_public + } } -http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch { - handle /.well-known/acme-challenge/* { - root * /var/www/acme - file_server - } - handle { - redir https://{host}{uri} permanent - } +castopod.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9020 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } +} + +bonfire.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9021 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } +} + +prime.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9022 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } +} + +bt.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9023 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } +} + +# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy) +git.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9024 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + transport http { + read_timeout 3600s + write_timeout 3600s + } + } +} + +http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch, http://git.hacktivism.ch { + handle /.well-known/acme-challenge/* { + root * /var/www/acme + file_server + } + handle { + redir https://{host}{uri} permanent + } } diff --git a/host/caddy/README.md b/host/caddy/README.md index 0d3f627..7c4d92b 100644 --- a/host/caddy/README.md +++ b/host/caddy/README.md @@ -1,6 +1,19 @@ -# Caddy (host reverse proxy) +# Host Caddy -- Config: `Caddyfile` (also mirrored under `configs/caddy/`) -- TLS certs on disk: `/etc/caddy/certs/{taler,exchange}.hacktivism.ch/` -- HTTP 9000: ACME webroot `/var/www/acme` + redirect to HTTPS -- HTTPS 9001: vhosts → backends 9010 / 9011 +Live: `/etc/caddy/Caddyfile` on koopa (root/`caddy` group). +Canonical mirror in this repo: **`configs/caddy/Caddyfile`** (same content as `host/caddy/Caddyfile`). + +| Listen | Role | +|--------|------| +| **9000** | HTTP + ACME webroot + HTTPS redirect | +| **9001** | HTTPS vhosts | + +Public sites: `taler` / `exchange` / `bank` / `castopod` / `bonfire` / `prime` / `bt` / **`git`**. +Forgejo HTTP: Caddy → `127.0.0.1:9024`. Git SSH is **host :9200** (not Caddy). + +Validate/reload on host: + +```bash +sudo caddy validate --config /etc/caddy/Caddyfile +sudo systemctl reload caddy +```