caddy: sync host/caddy mirror with full vhost map
host/caddy/Caddyfile was stale (Taler-only). Align with configs/caddy including git.hacktivism.ch :9024 and forgejo-ssh note :9200.
This commit is contained in:
parent
b674e57f4e
commit
02c5f97645
2 changed files with 158 additions and 53 deletions
|
|
@ -1,9 +1,7 @@
|
|||
# Port map (final):
|
||||
# 9000 Caddy HTTP (redirect + ACME webroot)
|
||||
# 9001 Caddy HTTPS
|
||||
# 9010 taler-hacktivism (merchant nginx TLS)
|
||||
# 9011 taler-exchange-hacktivism (exchange httpd)
|
||||
# 9012 taler-bank-hacktivism (libeufin-bank)
|
||||
# Internal only (not in the browser URL):
|
||||
# 9010 merchant API | 9011 exchange API | 9012 bank API
|
||||
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
|
||||
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
|
||||
|
||||
{
|
||||
email info+koopa@hacktivism.ch
|
||||
|
|
@ -11,48 +9,142 @@
|
|||
https_port 9001
|
||||
auto_https disable_redirects
|
||||
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
||||
# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
|
||||
# on the public host — port 9001 is not the public HTTPS entry (443 is).
|
||||
# That breaks sites after first visit (especially dual-stack clients).
|
||||
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
|
||||
servers {
|
||||
protocols h1 h2
|
||||
}
|
||||
}
|
||||
|
||||
(proxy_public) {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-Host {host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
header_up X-Forwarded-Port 443
|
||||
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
|
||||
}
|
||||
|
||||
taler.hacktivism.ch {
|
||||
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9015 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
# SPA: /webui → /webui/
|
||||
redir /webui /webui/ 302
|
||||
|
||||
# Merchant API + WebUI (nginx :9010 → unix socket)
|
||||
reverse_proxy https://127.0.0.1:9010 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
header_up Host {host}
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
exchange.hacktivism.ch {
|
||||
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9014 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:9011 {
|
||||
header_up Host {host}
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
bank.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
handle_path /intro/* {
|
||||
root * /var/www/bank-landing
|
||||
file_server
|
||||
}
|
||||
redir /intro /intro/ 302
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
reverse_proxy 127.0.0.1:9012 {
|
||||
header_up Host {host}
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
|
||||
# Static terms/privacy on landing nginx :9013
|
||||
handle /terms* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /privacy* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:9012 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
castopod.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9020 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
}
|
||||
|
||||
bonfire.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9021 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
prime.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9022 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
bt.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9023 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
}
|
||||
|
||||
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
|
||||
git.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9024 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
flush_interval -1
|
||||
transport http {
|
||||
read_timeout 3600s
|
||||
write_timeout 3600s
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch, http://git.hacktivism.ch {
|
||||
handle /.well-known/acme-challenge/* {
|
||||
root * /var/www/acme
|
||||
file_server
|
||||
|
|
|
|||
|
|
@ -1,6 +1,19 @@
|
|||
# Caddy (host reverse proxy)
|
||||
# Host Caddy
|
||||
|
||||
- Config: `Caddyfile` (also mirrored under `configs/caddy/`)
|
||||
- TLS certs on disk: `/etc/caddy/certs/{taler,exchange}.hacktivism.ch/`
|
||||
- HTTP 9000: ACME webroot `/var/www/acme` + redirect to HTTPS
|
||||
- HTTPS 9001: vhosts → backends 9010 / 9011
|
||||
Live: `/etc/caddy/Caddyfile` on koopa (root/`caddy` group).
|
||||
Canonical mirror in this repo: **`configs/caddy/Caddyfile`** (same content as `host/caddy/Caddyfile`).
|
||||
|
||||
| Listen | Role |
|
||||
|--------|------|
|
||||
| **9000** | HTTP + ACME webroot + HTTPS redirect |
|
||||
| **9001** | HTTPS vhosts |
|
||||
|
||||
Public sites: `taler` / `exchange` / `bank` / `castopod` / `bonfire` / `prime` / `bt` / **`git`**.
|
||||
Forgejo HTTP: Caddy → `127.0.0.1:9024`. Git SSH is **host :9200** (not Caddy).
|
||||
|
||||
Validate/reload on host:
|
||||
|
||||
```bash
|
||||
sudo caddy validate --config /etc/caddy/Caddyfile
|
||||
sudo systemctl reload caddy
|
||||
```
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue