docker-php/src/variations/frankenphp/etc/frankenphp/Caddyfile at 0dd5afcafb11d0b8c5d4e8ad6f970271812362e2 · serversideup/docker-php · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
########################################################
# Global Caddy configuration
########################################################
{
	admin {$CADDY_ADMIN:off}

	import auto-https/{$CADDY_AUTO_HTTPS:off}.caddyfile

	http_port {$CADDY_HTTP_PORT:8080}
	https_port {$CADDY_HTTPS_PORT:8443}

	skip_install_trust

	# Match serversideup/php log levels to Caddy global log levels
	import log-level/global/{$LOG_OUTPUT_LEVEL:info}.caddyfile

	frankenphp {
		{$FRANKENPHP_CONFIG}
		{$CADDY_SERVER_WORKER_DIRECTIVE}
		{$CADDY_SERVER_WATCH_DIRECTIVES}
	}

	servers {
		# Trust Docker/private networks + loopback + Cloudflare ranges
		trusted_proxies static \
10.0.0.0/8 \
172.16.0.0/12 \
192.168.0.0/16 \
127.0.0.1/8 \
::1 \
fd00::/8 \
173.245.48.0/20 \
103.21.244.0/22 \
103.22.200.0/22 \
103.31.4.0/22 \
141.101.64.0/18 \
108.162.192.0/18 \
190.93.240.0/20 \
188.114.96.0/20 \
197.234.240.0/22 \
198.41.128.0/17 \
162.158.0.0/15 \
104.16.0.0/13 \
104.24.0.0/14 \
172.64.0.0/13 \
131.0.72.0/22 \
2400:cb00::/32 \
2606:4700::/32 \
2803:f800::/32 \
2405:b500::/32 \
2405:8100::/32 \
2a06:98c0::/29 \
2c0f:f248::/32

		# Prefer Cloudflare's header; keep XFF as fallback
		client_ip_headers CF-Connecting-IP X-Forwarded-For
	}

	{$CADDY_GLOBAL_OPTIONS}
}

########################################################
# Common snippets
########################################################

(auto-https-off) {
	tls {$SSL_CERTIFICATE_FILE} {$SSL_PRIVATE_KEY_FILE}
}

(auto-https-on) {
	# tls directive is not needed when auto_https is enabled
}

# Common app logic; reused across all modes
(php-app-common) {
	root * {$CADDY_SERVER_ROOT:/var/www/html/public}

	encode zstd br gzip

	# Match serversideup/php log levels to Caddy address log levels
	import log-level/address/{$LOG_OUTPUT_LEVEL:info}.caddyfile

	# Define the Caddy healthcheck endpoint
	@caddy-healthcheck {
		path /healthcheck
	}
	respond @caddy-healthcheck "OK" 200
	log_skip @caddy-healthcheck

	# Define the custom healthcheck endpoint
	@healthcheckpath {
		path {$HEALTHCHECK_PATH:/healthcheck}
	}
	log_skip @healthcheckpath

	php_server {
		{$CADDY_PHP_SERVER_OPTIONS}
	}
	file_server

	import performance
	import security

	{$CADDY_SERVER_EXTRA_DIRECTIVES}
}

(performance) {
	# Favicon/robots: skip noisy logs
	@meta path /favicon.ico /robots.txt
	log_skip @meta

	# Static assets (long cache)
	@static {
		path *.css *.css.map *.js *.js.map *.jpg *.jpeg *.png *.gif *.ico *.cur *.heic *.webp *.tif *.tiff *.mp3 *.m4a *.aac *.ogg *.midi *.mid *.wav *.mp4 *.mov *.webm *.mpeg *.mpg *.avi *.ogv *.flv *.wmv *.htc *.gz *.svg *.svgz *.woff2 *.woff
	}
	header @static Cache-Control "public, immutable, stale-while-revalidate, max-age=31536000"

	# Fonts/SVG: allow cross-origin usage (cache header inherited from @static)
	@fonts {
		path *.svg *.svgz *.ttf *.ttc *.otf *.eot *.woff *.woff2
	}
	header @fonts Access-Control-Allow-Origin "*"

	# Short-lived static
	@staticshort {
		path *.json *.xml *.rss
	}
	header @staticshort Cache-Control "no-cache, max-age=3600"
}

(security) {
	# Reject dot files and certain file extensions
	@rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*

	# Return 403 Forbidden for rejected files
	respond @rejected 403

	# Security headers
	header {
		defer
		# Prevent IFRAME spoofing attacks
		X-Frame-Options "SAMEORIGIN"
		# Prevent MIME type sniffing
		X-Content-Type-Options "nosniff"
		# Prevent referrer leakage
		Referrer-Policy "strict-origin-when-cross-origin"
		# Prevent server header leakage
		-Server
		# Prevent powered by header leakage
		-X-Powered-By
	}
}

(security-https) {
	header {
		defer
		Strict-Transport-Security "max-age=31536000; includeSubDomains"
	}
}

########################################################
# Dynamic imports
########################################################

# Pull in the per-mode listeners (off|mixed|full)
import ssl-mode/{$SSL_MODE:off}.caddyfile

# Add additional Caddy configuration files from the caddyfile.d directory
import caddyfile.d/*.caddyfile