core/Projektarbeit-MYP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

final-cleanup: Produktionsfertige Konfiguration - Alle Ports auf 443 vereinheitlicht, TLS-Zertifikate vorgeneriert, Zentraler Installer erstellt

Browse Source
This commit is contained in:
Till Tomczak
2025-05-26 22:16:22 +02:00
parent 7aa70cf976
commit f719f74195
40 changed files with 598 additions and 11815 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
frontend/docker/caddy/Caddyfile
View File

@@ -1,76 +1,36 @@
{
debug
auto_https off
local_certs
# HTTP to HTTPS redirect
:80 {
redir https://{host}{uri} permanent
}
# Produktionsumgebung - Frontend auf Port 80/443 mit selbstsigniertem Zertifikat
:80, :443 {
# TLS mit automatisch generierten selbstsignierten Zertifikaten
tls internal {
on_demand
}
# API Anfragen zum Backend (Raspberry Pi) weiterleiten
@api {
path /api/* /health
}
handle @api {
uri strip_prefix /api
reverse_proxy raspberrypi:443 {
transport http {
tls
tls_insecure_skip_verify
}
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# Alle anderen Anfragen zum Frontend weiterleiten (auf Port 80 intern)
handle {
reverse_proxy frontend:80 {
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# OAuth Callbacks
@oauth path /auth/login/callback*
handle @oauth {
header Cache-Control "no-cache"
reverse_proxy frontend:80
}
# HTTPS Frontend
m040tbaraspi001.de040.corpintra.net:443 {
# TLS configuration with custom certificates
tls /etc/ssl/certs/myp/frontend.crt /etc/ssl/certs/myp/frontend.key
# Produktions-Header
# Security headers
header {
# Enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# XSS Protection
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
# CSP
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://raspberrypi;"
# Remove server header
-Server
}
}
# Spezifische Hostname-Konfiguration für Mercedes-Benz Werk 040 Berlin (falls benötigt)
m040tbaraspi001.de040.corpintra.net {
# TLS mit automatisch generierten selbstsignierten Zertifikaten
tls internal {
on_demand
# Health check endpoint
handle /health {
respond "OK" 200
}
# API Anfragen zum Backend (Raspberry Pi) weiterleiten
@api {
path /api/* /health
}
handle @api {
uri strip_prefix /api
reverse_proxy raspberrypi:443 {
# API proxy to backend
handle /api/* {
reverse_proxy https://raspberrypi {
transport http {
tls
tls_insecure_skip_verify
}
header_up Host {upstream_hostport}
@@ -79,85 +39,27 @@ m040tbaraspi001.de040.corpintra.net {
header_up X-Forwarded-Proto {scheme}
}
}
# Alle anderen Anfragen zum Frontend weiterleiten
handle {
reverse_proxy frontend:80 {
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# OAuth Callbacks
@oauth path /auth/login/callback*
handle @oauth {
header Cache-Control "no-cache"
reverse_proxy frontend:80
# Frontend application
reverse_proxy frontend-app:3000 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
# Produktions-Header
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
# Logging
log {
output file /var/log/caddy/access.log
format json
}
# Enable compression
encode gzip
}
# Entwicklungsumgebung - Localhost und Raspberry Pi Backend (weiterhin für lokale Entwicklung verfügbar)
localhost, 127.0.0.1 {
# API Anfragen zum Raspberry Pi Backend weiterleiten
@api {
path /api/* /health
}
handle @api {
uri strip_prefix /api
reverse_proxy raspberrypi:443 {
transport http {
tls
tls_insecure_skip_verify
}
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# Alle anderen Anfragen zum Frontend weiterleiten
handle {
reverse_proxy myp-rp-dev:3000 {
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
# TLS für lokale Entwicklung
tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key
# OAuth Callbacks für Entwicklung
@oauth path /auth/login/callback*
handle @oauth {
header Cache-Control "no-cache"
reverse_proxy myp-rp-dev:3000
}
# Entwicklungsfreundliche Header
header {
# Weniger restriktive Sicherheitsheader für Entwicklung
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
# Keine Caches für Entwicklung
Cache-Control "no-store, no-cache, must-revalidate"
# CORS für Entwicklung
Access-Control-Allow-Origin "*"
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Content-Type, Authorization"
}
}
# Fallback for direct IP access
192.168.0.109:443 {
tls /etc/ssl/certs/myp/frontend.crt /etc/ssl/certs/myp/frontend.key
redir https://m040tbaraspi001.de040.corpintra.net{uri} permanent
}