Konfigurationsdateien für SSL und Docker hinzugefügt

2025-05-26 09:06:41 +02:00
parent 286ad6eb15
commit 4feb3cab9d
2 changed files with 206 additions and 0 deletions
--- a/frontend/docker/caddy/Caddyfile_copy
+++ b/frontend/docker/caddy/Caddyfile_copy
@@ -0,0 +1,111 @@
+{
+    debug
+    auto_https disable_redirects
+}
+
+# Produktionsumgebung - Spezifischer Hostname für Mercedes-Benz Werk 040 Berlin
+m040tbaraspi001.de040.corpintra.net {
+    # TLS mit selbstsignierten Zertifikaten für die Produktionsumgebung
+    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key {
+        protocols tls1.2 tls1.3
+    }
+
+    # API Anfragen zum Backend (Raspberry Pi) weiterleiten
+    @api {
+        path /api/* /health
+    }
+    handle @api {
+        uri strip_prefix /api
+        reverse_proxy raspberrypi:443 {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Alle anderen Anfragen zum Frontend weiterleiten
+    handle {
+        reverse_proxy myp-rp-dev:3000 {
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # OAuth Callbacks
+    @oauth path /auth/login/callback*
+    handle @oauth {
+        header Cache-Control "no-cache"
+        reverse_proxy myp-rp-dev:3000
+    }
+    
+    # Produktions-Header
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+    }
+}
+
+# Entwicklungsumgebung - Localhost und Raspberry Pi Backend (weiterhin für lokale Entwicklung verfügbar)
+localhost, 127.0.0.1 {
+    # API Anfragen zum Raspberry Pi Backend weiterleiten
+    @api {
+        path /api/* /health
+    }
+    handle @api {
+        uri strip_prefix /api
+        reverse_proxy raspberrypi:443 {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Alle anderen Anfragen zum Frontend weiterleiten
+    handle {
+        reverse_proxy myp-rp-dev:3000 {
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # TLS für lokale Entwicklung
+    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key
+
+    # OAuth Callbacks für Entwicklung
+    @oauth path /auth/login/callback*
+    handle @oauth {
+        header Cache-Control "no-cache"
+        reverse_proxy myp-rp-dev:3000
+    }
+    
+    # Entwicklungsfreundliche Header
+    header {
+        # Weniger restriktive Sicherheitsheader für Entwicklung
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        
+        # Keine Caches für Entwicklung
+        Cache-Control "no-store, no-cache, must-revalidate"
+        
+        # CORS für Entwicklung
+        Access-Control-Allow-Origin "*"
+        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+        Access-Control-Allow-Headers "Content-Type, Authorization"
+    }
+}