63 lines
1.6 KiB
Caddyfile
63 lines
1.6 KiB
Caddyfile
# Port map (final):
|
|
# 9000 Caddy HTTP (redirect + ACME webroot)
|
|
# 9001 Caddy HTTPS
|
|
# 9010 taler-hacktivism (merchant nginx TLS)
|
|
# 9011 taler-exchange-hacktivism (exchange httpd)
|
|
# 9012 taler-bank-hacktivism (libeufin-bank)
|
|
{
|
|
email info+koopa@hacktivism.ch
|
|
http_port 9000
|
|
https_port 9001
|
|
auto_https disable_redirects
|
|
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
|
# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
|
|
# on the public host — port 9001 is not the public HTTPS entry (443 is).
|
|
# That breaks sites after first visit (especially dual-stack clients).
|
|
servers {
|
|
protocols h1 h2
|
|
}
|
|
}
|
|
|
|
taler.hacktivism.ch {
|
|
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
|
header Alt-Svc "clear"
|
|
reverse_proxy https://127.0.0.1:9010 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
header_up Host {host}
|
|
}
|
|
}
|
|
|
|
exchange.hacktivism.ch {
|
|
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9011 {
|
|
header_up Host {host}
|
|
}
|
|
}
|
|
|
|
bank.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
handle_path /intro/* {
|
|
root * /var/www/bank-landing
|
|
file_server
|
|
}
|
|
redir /intro /intro/ 302
|
|
redir / /intro/ 302
|
|
|
|
reverse_proxy 127.0.0.1:9012 {
|
|
header_up Host {host}
|
|
}
|
|
}
|
|
|
|
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
|
|
handle /.well-known/acme-challenge/* {
|
|
root * /var/www/acme
|
|
file_server
|
|
}
|
|
handle {
|
|
redir https://{host}{uri} permanent
|
|
}
|
|
}
|