Build [v1.9.15] (The Dynamic Shield: On-Demand TLS Catch-all)
This commit is contained in:
@@ -1,23 +1,33 @@
|
||||
# TFM aInventory - Caddy Patched IP Configuration
|
||||
# Version 1.9.14 - Protocol Lock & Debug Mode
|
||||
# Version 1.9.15 - The Dynamic Shield (On-Demand TLS)
|
||||
{
|
||||
admin off
|
||||
debug
|
||||
debug
|
||||
|
||||
# Global TLS options for self-signed certificates
|
||||
local_certs
|
||||
local_certs
|
||||
skip_install_trust
|
||||
skip_install_trust
|
||||
|
||||
# Configure on-demand TLS for private network IPs
|
||||
on_demand_tls {
|
||||
# Using a dummy check or local health endpoint to allow any IP in private range
|
||||
# For simplicity in this env, we use the frontend's existence as the check
|
||||
ask http://frontend:3000/api/health
|
||||
}
|
||||
}
|
||||
|
||||
# Dynamic SSL Proxy (Matches ANY IP or hostname)
|
||||
https://:443 {
|
||||
tls internal
|
||||
reverse_proxy frontend:3000
|
||||
https:// {
|
||||
tls internal {
|
||||
on_demand
|
||||
}
|
||||
|
||||
# Route based on the port (Caddy handles multiple listeners in this catch-all)
|
||||
# But since we have specific container ports, we'll split them for clarity
|
||||
# to avoid port collision in the catch-all.
|
||||
reverse_proxy frontend:3000
|
||||
|
||||
header {
|
||||
header {
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
X-XSS-Protection "1; mode=block"
|
||||
X-Content-Type-Options "nosniff"
|
||||
@@ -27,8 +37,10 @@ https://:443 {
|
||||
}
|
||||
|
||||
# Specific port listener for backend (8918 -> 444)
|
||||
https://:444 {
|
||||
https://:444 {
|
||||
tls internal {
|
||||
reverse_proxy backend:8000
|
||||
on_demand
|
||||
}
|
||||
reverse_proxy backend:8000
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user