155 lines
3.7 KiB
Caddyfile
155 lines
3.7 KiB
Caddyfile
# Internal only (not in the browser URL):
|
|
# 9010 merchant API | 9011 exchange API | 9012 bank API
|
|
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
|
|
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
|
|
{
|
|
email info+koopa@hacktivism.ch
|
|
http_port 9000
|
|
https_port 9001
|
|
auto_https disable_redirects
|
|
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
|
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
|
|
servers {
|
|
protocols h1 h2
|
|
}
|
|
}
|
|
|
|
(proxy_public) {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-Host {host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Port 443
|
|
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
|
|
}
|
|
|
|
taler.hacktivism.ch {
|
|
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
|
header Alt-Svc "clear"
|
|
|
|
# Public landing first
|
|
redir / /intro/ 302
|
|
|
|
handle /intro* {
|
|
reverse_proxy 127.0.0.1:9015 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
# SPA: /webui → /webui/
|
|
redir /webui /webui/ 302
|
|
|
|
# Merchant API + WebUI (nginx :9010 → unix socket)
|
|
reverse_proxy https://127.0.0.1:9010 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
exchange.hacktivism.ch {
|
|
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
|
header Alt-Svc "clear"
|
|
|
|
# Public landing first
|
|
redir / /intro/ 302
|
|
|
|
handle /intro* {
|
|
reverse_proxy 127.0.0.1:9014 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
reverse_proxy 127.0.0.1:9011 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
bank.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
|
|
# Public landing first
|
|
redir / /intro/ 302
|
|
|
|
handle /intro* {
|
|
reverse_proxy 127.0.0.1:9013 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
# Static terms/privacy on landing nginx :9013
|
|
handle /terms* {
|
|
reverse_proxy 127.0.0.1:9013 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
handle /privacy* {
|
|
reverse_proxy 127.0.0.1:9013 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
reverse_proxy 127.0.0.1:9012 {
|
|
import proxy_public
|
|
}
|
|
}
|
|
|
|
castopod.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9020 {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
}
|
|
}
|
|
|
|
bonfire.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9021 {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
flush_interval -1
|
|
}
|
|
}
|
|
|
|
prime.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9022 {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
flush_interval -1
|
|
}
|
|
}
|
|
|
|
bt.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9023 {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
}
|
|
}
|
|
|
|
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
|
|
handle /.well-known/acme-challenge/* {
|
|
root * /var/www/acme
|
|
file_server
|
|
}
|
|
handle {
|
|
redir https://{host}{uri} permanent
|
|
}
|
|
}
|
|
|
|
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
|
|
git.hacktivism.ch {
|
|
header Alt-Svc "clear"
|
|
reverse_proxy 127.0.0.1:9024 {
|
|
header_up Host {host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
flush_interval -1
|
|
transport http {
|
|
read_timeout 3600s
|
|
write_timeout 3600s
|
|
}
|
|
}
|
|
}
|