229 lines
5.8 KiB
Caddyfile
229 lines
5.8 KiB
Caddyfile
# 🔄 MYP Reverse Proxy Konfiguration
|
|
# Caddy Server für Load Balancing und SSL Termination
|
|
{
|
|
# Globale Optionen
|
|
debug
|
|
auto_https off
|
|
email admin@mercedes-benz.com
|
|
|
|
# Lokale Zertifikate für Entwicklung
|
|
local_certs
|
|
}
|
|
|
|
# Hauptdomain-Konfiguration
|
|
{$CADDY_HOST:localhost}, {$CADDY_DOMAIN:myp.local} {
|
|
# === API-Routen ===
|
|
# Backend API Endpunkte
|
|
@api {
|
|
path /api/*
|
|
path /health
|
|
path /auth/*
|
|
path /swagger/*
|
|
path /docs/*
|
|
}
|
|
|
|
handle @api {
|
|
# API-Prefix entfernen für Backend-Weiterleitung
|
|
uri strip_prefix /api
|
|
|
|
# Backend-Server (Load Balancing für Hochverfügbarkeit)
|
|
reverse_proxy {
|
|
to backend:5000
|
|
|
|
# Health Checks
|
|
health_uri /health
|
|
health_interval 30s
|
|
health_timeout 10s
|
|
|
|
# Load Balancing
|
|
lb_policy round_robin
|
|
|
|
# Fehlerbehandlung
|
|
fail_duration 30s
|
|
max_fails 3
|
|
|
|
# Header-Weiterleitung
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {remote_host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
}
|
|
}
|
|
|
|
# === OAuth und Authentifizierung ===
|
|
@oauth {
|
|
path /auth/login/callback*
|
|
path /auth/logout*
|
|
path /auth/verify*
|
|
}
|
|
|
|
handle @oauth {
|
|
# Keine Caches für Auth-Endpunkte
|
|
header Cache-Control "no-cache, no-store, must-revalidate"
|
|
header Pragma "no-cache"
|
|
header Expires "0"
|
|
|
|
reverse_proxy frontend:3000
|
|
}
|
|
|
|
# === Statische Assets ===
|
|
@static {
|
|
path *.js *.css *.png *.jpg *.jpeg *.gif *.svg *.ico *.woff *.woff2 *.ttf *.eot
|
|
path /_next/static/*
|
|
path /static/*
|
|
path /assets/*
|
|
}
|
|
|
|
handle @static {
|
|
# Aggressive Caching für statische Inhalte
|
|
header Cache-Control "public, max-age=31536000, immutable"
|
|
header Vary "Accept-Encoding"
|
|
|
|
# Kompression
|
|
encode gzip zstd
|
|
|
|
reverse_proxy frontend:3000
|
|
}
|
|
|
|
# === Frontend-Anwendung ===
|
|
handle {
|
|
# Dynamische Inhalte
|
|
header Cache-Control "no-cache, no-store, must-revalidate"
|
|
header Pragma "no-cache"
|
|
|
|
# Frontend-Server
|
|
reverse_proxy {
|
|
to frontend:3000
|
|
|
|
# Health Checks
|
|
health_uri /
|
|
health_interval 30s
|
|
health_timeout 10s
|
|
|
|
# Header-Weiterleitung
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {remote_host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
}
|
|
}
|
|
|
|
# === Sicherheitsheader ===
|
|
header {
|
|
# HTTPS Durchsetzung
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# Content Security Policy
|
|
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-src 'none'; object-src 'none'; base-uri 'self'"
|
|
|
|
# XSS-Schutz
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
# Referrer Policy
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# Feature Policy / Permissions Policy
|
|
Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
|
|
|
|
# Server-Information ausblenden
|
|
-Server
|
|
-X-Powered-By
|
|
}
|
|
|
|
# === Logging ===
|
|
log {
|
|
output file /var/log/caddy/myp-access.log {
|
|
roll_size 100mb
|
|
roll_keep 5
|
|
roll_keep_for 720h
|
|
}
|
|
format json
|
|
level INFO
|
|
}
|
|
|
|
# === Rate Limiting ===
|
|
rate_limit {
|
|
zone static_files {
|
|
key {remote_host}
|
|
events 1000
|
|
window 1m
|
|
}
|
|
zone api_calls {
|
|
key {remote_host}
|
|
events 100
|
|
window 1m
|
|
}
|
|
}
|
|
|
|
# === Fehlerbehandlung ===
|
|
handle_errors {
|
|
@502 expression `{http.error.status_code} == 502`
|
|
handle @502 {
|
|
rewrite * /errors/502.html
|
|
file_server {
|
|
root /usr/share/caddy/errors
|
|
}
|
|
}
|
|
|
|
@503 expression `{http.error.status_code} == 503`
|
|
handle @503 {
|
|
rewrite * /errors/503.html
|
|
file_server {
|
|
root /usr/share/caddy/errors
|
|
}
|
|
}
|
|
}
|
|
|
|
# === Development Features ===
|
|
# WebSocket Support für Hot Reload
|
|
@websocket {
|
|
header Connection *Upgrade*
|
|
header Upgrade websocket
|
|
}
|
|
|
|
handle @websocket {
|
|
reverse_proxy frontend:3000
|
|
}
|
|
}
|
|
|
|
# === Monitoring Endpunkte (nur Entwicklung) ===
|
|
monitoring.{$CADDY_DOMAIN:myp.local} {
|
|
# Prometheus Metriken
|
|
handle /metrics {
|
|
reverse_proxy prometheus:9090
|
|
}
|
|
|
|
# Grafana Dashboards
|
|
handle /grafana/* {
|
|
uri strip_prefix /grafana
|
|
reverse_proxy grafana:3000
|
|
}
|
|
|
|
# Caddy Admin API
|
|
handle /admin/* {
|
|
reverse_proxy localhost:2019
|
|
}
|
|
|
|
# Basis-Authentifizierung für Monitoring
|
|
basicauth /* {
|
|
admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqBZnp6N5i8rGjW5h3qK4/tW
|
|
}
|
|
}
|
|
|
|
# === Gesundheitsprüfungen ===
|
|
health.{$CADDY_DOMAIN:myp.local} {
|
|
respond /health "OK" 200
|
|
|
|
handle /backend/health {
|
|
reverse_proxy backend:5000/health
|
|
}
|
|
|
|
handle /frontend/health {
|
|
reverse_proxy frontend:3000
|
|
}
|
|
} |