# Caddyfile for StarPunk Reverse Proxy # Caddy automatically handles HTTPS with Let's Encrypt # # Installation: # 1. Install Caddy: https://caddyserver.com/docs/install # 2. Copy this file: cp Caddyfile.example Caddyfile # 3. Update your-domain.com to your actual domain # 4. Run: caddy run --config Caddyfile # # Systemd service: # sudo systemctl enable --now caddy # Replace with your actual domain your-domain.com { # Reverse proxy to StarPunk container # Container must be running on localhost:8000 reverse_proxy localhost:8000 # Logging log { output file /var/log/caddy/starpunk.log { roll_size 10MiB roll_keep 10 } format console } # Security headers header { # Remove server identification -Server # HSTS - force HTTPS for 1 year Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Prevent MIME type sniffing X-Content-Type-Options "nosniff" # Prevent clickjacking X-Frame-Options "DENY" # XSS protection (legacy browsers) X-XSS-Protection "1; mode=block" # Referrer policy Referrer-Policy "strict-origin-when-cross-origin" # Content Security Policy (adjust as needed) Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" } # Compression encode gzip zstd # Static file caching @static { path /static/* } header @static { Cache-Control "public, max-age=31536000, immutable" } # RSS feed caching @feed { path /feed.xml } header @feed { Cache-Control "public, max-age=300" } # API routes (no caching) @api { path /api/* } header @api { Cache-Control "no-store, no-cache, must-revalidate" } # Health check endpoint (monitoring systems) @health { path /health } header @health { Cache-Control "no-store, no-cache, must-revalidate" } } # Optional: Redirect www to non-www # www.your-domain.com { # redir https://your-domain.com{uri} permanent # } # Optional: Multiple domains # another-domain.com { # reverse_proxy localhost:8000 # }