caddy: sync host/caddy mirror with full vhost map

host/caddy/Caddyfile was stale (Taler-only). Align with configs/caddy
including git.hacktivism.ch :9024 and forgejo-ssh note :9200.
This commit is contained in:
Hernâni Marques 2026-07-10 15:09:37 +02:00
parent b674e57f4e
commit 02c5f97645
No known key found for this signature in database
2 changed files with 158 additions and 53 deletions

View file

@ -1,63 +1,155 @@
# Port map (final):
# 9000 Caddy HTTP (redirect + ACME webroot)
# 9001 Caddy HTTPS
# 9010 taler-hacktivism (merchant nginx TLS)
# 9011 taler-exchange-hacktivism (exchange httpd)
# 9012 taler-bank-hacktivism (libeufin-bank)
# Internal only (not in the browser URL):
# 9010 merchant API | 9011 exchange API | 9012 bank API
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
{
email info+koopa@hacktivism.ch
http_port 9000
https_port 9001
auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
# on the public host — port 9001 is not the public HTTPS entry (443 is).
# That breaks sites after first visit (especially dual-stack clients).
servers {
protocols h1 h2
}
email info+koopa@hacktivism.ch
http_port 9000
https_port 9001
auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
servers {
protocols h1 h2
}
}
(proxy_public) {
header_up Host {host}
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Port 443
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
}
taler.hacktivism.ch {
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
reverse_proxy https://127.0.0.1:9010 {
transport http {
tls_insecure_skip_verify
}
header_up Host {host}
}
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9015 {
import proxy_public
}
}
# SPA: /webui → /webui/
redir /webui /webui/ 302
# Merchant API + WebUI (nginx :9010 → unix socket)
reverse_proxy https://127.0.0.1:9010 {
transport http {
tls_insecure_skip_verify
}
import proxy_public
}
}
exchange.hacktivism.ch {
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9011 {
header_up Host {host}
}
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9014 {
import proxy_public
}
}
reverse_proxy 127.0.0.1:9011 {
import proxy_public
}
}
bank.hacktivism.ch {
header Alt-Svc "clear"
handle_path /intro/* {
root * /var/www/bank-landing
file_server
}
redir /intro /intro/ 302
redir / /intro/ 302
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9012 {
header_up Host {host}
}
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
# Static terms/privacy on landing nginx :9013
handle /terms* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
handle /privacy* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
reverse_proxy 127.0.0.1:9012 {
import proxy_public
}
}
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
handle /.well-known/acme-challenge/* {
root * /var/www/acme
file_server
}
handle {
redir https://{host}{uri} permanent
}
castopod.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9020 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
}
bonfire.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9021 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
}
prime.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9022 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
}
bt.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9023 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
}
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
git.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9024 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
flush_interval -1
transport http {
read_timeout 3600s
write_timeout 3600s
}
}
}
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch, http://git.hacktivism.ch {
handle /.well-known/acme-challenge/* {
root * /var/www/acme
file_server
}
handle {
redir https://{host}{uri} permanent
}
}