-
Notifications
You must be signed in to change notification settings - Fork 836
Expand file tree
/
Copy pathCaddyfile
More file actions
74 lines (71 loc) · 2.6 KB
/
Caddyfile
File metadata and controls
74 lines (71 loc) · 2.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{
auto_https off
admin off
persist_config off
# Trust fly's private network so caddy preserves X-Forwarded-Proto/For/Host
# from the fly edge instead of overwriting them. Without this, caddy sets
# X-Forwarded-Proto=http (its own hop is plaintext), contradicting fly's
# https value, and gunicorn rejects the request as InvalidSchemeHeaders.
# trusted_proxies_strict parses X-Forwarded-For right-to-left to resist
# spoofing from appending edges (CF/Fly). client_ip_headers makes
# request.client_ip in access logs resolve to CF-Connecting-IP (the real
# user) rather than the closest untrusted hop, which is fly's public edge.
servers {
trusted_proxies static private_ranges
trusted_proxies_strict
client_ip_headers CF-Connecting-IP
}
}
:8080 {
# Structured access log. Default caddy json is ~1.5 KB/line; this filter
# drops well-known noise (cookie, accept-*, sec-fetch-*, fly-*, resp
# headers) to keep each line under ~400 bytes. client_ip + User-Agent +
# Cf-Ray are preserved for debugging and correlation with CF analytics.
log {
output stdout
format filter {
wrap json
fields {
resp_headers delete
bytes_read delete
user_id delete
request>remote_port delete
request>proto delete
request>headers>Accept delete
request>headers>Accept-Encoding delete
request>headers>Accept-Language delete
request>headers>Cookie delete
request>headers>Upgrade-Insecure-Requests delete
request>headers>Cache-Control delete
request>headers>Priority delete
request>headers>Dnt delete
request>headers>Te delete
request>headers>Connection delete
request>headers>Sec-Ch-Ua delete
request>headers>Sec-Ch-Ua-Mobile delete
request>headers>Sec-Ch-Ua-Platform delete
request>headers>Sec-Fetch-Dest delete
request>headers>Sec-Fetch-Mode delete
request>headers>Sec-Fetch-Site delete
request>headers>Sec-Fetch-User delete
request>headers>Via delete
request>headers>X-Forwarded-For delete
request>headers>X-Forwarded-Proto delete
request>headers>Cf-Connecting-Ip delete
request>headers>Fly-Forwarded-For delete
request>headers>Fly-Forwarded-Port delete
request>headers>Fly-Forwarded-Ssl delete
request>headers>Fly-Forwarded-Proto delete
request>headers>Fly-Region delete
request>headers>Fly-Request-Id delete
request>headers>Cdn-Loop delete
}
}
}
reverse_proxy [::1]:8081 {
# Drain gunicorn's response as fast as possible into caddy's memory
# so a slow client cannot park the upstream worker. 256 KB is well
# above the ~67 KB worst-case explain response observed in prod.
response_buffers 256KB
}
}