Phil Skentelbery
c559f89a7f
Implements Phase 5 containerization specification: - Add /health endpoint for container monitoring - Create multi-stage Containerfile (Podman/Docker compatible) - Add compose.yaml for orchestration - Add Caddyfile.example for reverse proxy (auto-HTTPS) - Add nginx.conf.example as alternative - Update .env.example with container and RSS feed variables - Add gunicorn WSGI server to requirements.txt Container features: - Multi-stage build for smaller image size - Non-root user (starpunk:1000) - Health check with database connectivity test - Volume mount for data persistence - Resource limits and logging configuration - Security headers and HTTPS configuration examples Health check endpoint: - Tests database connectivity - Verifies filesystem access - Returns JSON with status, version, and environment Following Phase 5 design in docs/designs/phase-5-rss-and-container.md
97 lines
2.3 KiB
Caddyfile
97 lines
2.3 KiB
Caddyfile
# Caddyfile for StarPunk Reverse Proxy
|
|
# Caddy automatically handles HTTPS with Let's Encrypt
|
|
#
|
|
# Installation:
|
|
# 1. Install Caddy: https://caddyserver.com/docs/install
|
|
# 2. Copy this file: cp Caddyfile.example Caddyfile
|
|
# 3. Update your-domain.com to your actual domain
|
|
# 4. Run: caddy run --config Caddyfile
|
|
#
|
|
# Systemd service:
|
|
# sudo systemctl enable --now caddy
|
|
|
|
# Replace with your actual domain
|
|
your-domain.com {
|
|
# Reverse proxy to StarPunk container
|
|
# Container must be running on localhost:8000
|
|
reverse_proxy localhost:8000
|
|
|
|
# Logging
|
|
log {
|
|
output file /var/log/caddy/starpunk.log {
|
|
roll_size 10MiB
|
|
roll_keep 10
|
|
}
|
|
format console
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
# Remove server identification
|
|
-Server
|
|
|
|
# HSTS - force HTTPS for 1 year
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# Prevent MIME type sniffing
|
|
X-Content-Type-Options "nosniff"
|
|
|
|
# Prevent clickjacking
|
|
X-Frame-Options "DENY"
|
|
|
|
# XSS protection (legacy browsers)
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# Referrer policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# Content Security Policy (adjust as needed)
|
|
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
|
|
}
|
|
|
|
# Compression
|
|
encode gzip zstd
|
|
|
|
# Static file caching
|
|
@static {
|
|
path /static/*
|
|
}
|
|
header @static {
|
|
Cache-Control "public, max-age=31536000, immutable"
|
|
}
|
|
|
|
# RSS feed caching
|
|
@feed {
|
|
path /feed.xml
|
|
}
|
|
header @feed {
|
|
Cache-Control "public, max-age=300"
|
|
}
|
|
|
|
# API routes (no caching)
|
|
@api {
|
|
path /api/*
|
|
}
|
|
header @api {
|
|
Cache-Control "no-store, no-cache, must-revalidate"
|
|
}
|
|
|
|
# Health check endpoint (monitoring systems)
|
|
@health {
|
|
path /health
|
|
}
|
|
header @health {
|
|
Cache-Control "no-store, no-cache, must-revalidate"
|
|
}
|
|
}
|
|
|
|
# Optional: Redirect www to non-www
|
|
# www.your-domain.com {
|
|
# redir https://your-domain.com{uri} permanent
|
|
# }
|
|
|
|
# Optional: Multiple domains
|
|
# another-domain.com {
|
|
# reverse_proxy localhost:8000
|
|
# }
|