From 8d0d565df9893254e0e42f7417ba088c59369573 Mon Sep 17 00:00:00 2001 From: James Loh Date: Tue, 15 Jul 2025 15:44:28 +1000 Subject: [PATCH] Caddy: Move to more templated approach no ref - The goal here is to be able to provide more functionality to self-hosters through snippets and other segmented config - Some customers run Admin <-> content domains on separate ones which our current config doesn't support - Our current config also hardcodes a www redirect which complicates setups when you don't have that domain setup or don't even want it - Moving to a default template customers will have to copy which includes snippets allows us to update these later on without breaking peoples setups --- .editorconfig | 3 ++ .env.example | 6 +++- Caddyfile | 63 --------------------------------- caddy/Caddyfile.example | 38 ++++++++++++++++++++ caddy/snippets/ActivityPub | 13 +++++++ caddy/snippets/Logging | 6 ++++ caddy/snippets/TrafficAnalytics | 6 ++++ compose.yml | 3 +- 8 files changed, 73 insertions(+), 65 deletions(-) delete mode 100644 Caddyfile create mode 100644 caddy/Caddyfile.example create mode 100644 caddy/snippets/ActivityPub create mode 100644 caddy/snippets/Logging create mode 100644 caddy/snippets/TrafficAnalytics diff --git a/.editorconfig b/.editorconfig index a2a28b4..1519130 100644 --- a/.editorconfig +++ b/.editorconfig @@ -24,3 +24,6 @@ indent_size = 2 [Makefile] indent_style = tab + +[Caddyfile] +indent_style = tab diff --git a/.env.example b/.env.example index e8ae8f0..00c0467 100644 --- a/.env.example +++ b/.env.example @@ -23,9 +23,13 @@ DATABASE_PASSWORD=ghostpassword ENABLE_DEVELOPER_EXPERIMENTS=false # Developer Experiments must be enabled above -ENABLE_ACTIVITYPUB=false ENABLE_TRAFFIC_ANALYTICS=false +# ActivityPub +ENABLE_ACTIVITYPUB=false +# If you'd prefer to self-host ActivityPub yourself uncomment the below line +# ACTIVITYPUB_TARGET=activitypub:8080 + # Tinybird configuration TINYBIRD_API_URL=https://api.tinybird.co TINYBIRD_TRACKER_TOKEN=p.eyJxxxxx diff --git a/Caddyfile b/Caddyfile deleted file mode 100644 index 913457b..0000000 --- a/Caddyfile +++ /dev/null @@ -1,63 +0,0 @@ -# Replace your-domain.com with your actual domain -{$DOMAIN} { - # Log all requests - log { - output stdout - format console - level INFO - } - - # Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/) - @analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$ - handle @analytics_paths { - rewrite * {re.analytics_match.2} - reverse_proxy traffic-analytics:3000 - } - - # ActivityPub - # Proxy activitypub requests /.ghost/activitypub/ - handle /.ghost/activitypub/* { - reverse_proxy https://ap.ghost.org - } - - handle /.well-known/webfinger { - reverse_proxy https://ap.ghost.org - } - - handle /.well-known/nodeinfo { - reverse_proxy https://ap.ghost.org - } - - # Default proxy everything else to Ghost - handle { - reverse_proxy ghost:2368 - } - - # Optional: Enable gzip compression - encode gzip - - # Optional: Add security headers - header { - # Enable HSTS - Strict-Transport-Security max-age=31536000; - # Prevent embedding in frames - X-Frame-Options DENY - # Enable XSS protection - X-XSS-Protection "1; mode=block" - # Prevent MIME sniffing - X-Content-Type-Options nosniff - # Referrer policy - Referrer-Policy strict-origin-when-cross-origin - } -} - -# Redirect www to non-www (optional) -www.{$DOMAIN} { - # Log all requests - log { - output stdout - format console - level INFO - } - redir https://{$DOMAIN}{uri} -} diff --git a/caddy/Caddyfile.example b/caddy/Caddyfile.example new file mode 100644 index 0000000..652e21a --- /dev/null +++ b/caddy/Caddyfile.example @@ -0,0 +1,38 @@ +# Replace your-domain.com with your actual domain +{$DOMAIN} { + import snippets/Logging + + # Traffic Analytics service + import snippets/TrafficAnalytics + + # ActivityPub Service + import snippets/ActivityPub + + # Default proxy everything else to Ghost + handle { + reverse_proxy ghost:2368 + } + + # Optional: Enable gzip compression + encode gzip + + # Optional: Add security headers + header { + # Enable HSTS + Strict-Transport-Security max-age=31536000; + # Prevent embedding in frames + X-Frame-Options DENY + # Enable XSS protection + X-XSS-Protection "1; mode=block" + # Prevent MIME sniffing + X-Content-Type-Options nosniff + # Referrer policy + Referrer-Policy strict-origin-when-cross-origin + } +} + +# Redirect www to non-www (optional) +www.{$DOMAIN} { + import snippets/Logging + redir https://{$DOMAIN}{uri} +} diff --git a/caddy/snippets/ActivityPub b/caddy/snippets/ActivityPub new file mode 100644 index 0000000..e62d651 --- /dev/null +++ b/caddy/snippets/ActivityPub @@ -0,0 +1,13 @@ +# ActivityPub +# Proxy activitypub requests /.ghost/activitypub/ +handle /.ghost/activitypub/* { + reverse_proxy {$ACTIVITYPUB_TARGET} +} + +handle /.well-known/webfinger { + reverse_proxy {$ACTIVITYPUB_TARGET} +} + +handle /.well-known/nodeinfo { + reverse_proxy {$ACTIVITYPUB_TARGET} +} diff --git a/caddy/snippets/Logging b/caddy/snippets/Logging new file mode 100644 index 0000000..a0d6a66 --- /dev/null +++ b/caddy/snippets/Logging @@ -0,0 +1,6 @@ +# Log all requests +log { + output stdout + format console + level INFO +} diff --git a/caddy/snippets/TrafficAnalytics b/caddy/snippets/TrafficAnalytics new file mode 100644 index 0000000..53a81f2 --- /dev/null +++ b/caddy/snippets/TrafficAnalytics @@ -0,0 +1,6 @@ +# Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/) +@analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$ +handle @analytics_paths { + rewrite * {re.analytics_match.2} + reverse_proxy traffic-analytics:3000 +} diff --git a/compose.yml b/compose.yml index b1bc3be..420b90e 100644 --- a/compose.yml +++ b/compose.yml @@ -9,8 +9,9 @@ services: - "443:443" environment: DOMAIN: ${DOMAIN:?DOMAIN environment variable is required} + ACTIVITYPUB_TARGET: ${ACTIVITYPUB_TARGET:-https://ap.ghost.org} volumes: - - ./Caddyfile:/etc/caddy/Caddyfile + - ./caddy:/etc/caddy - caddy_data:/data - caddy_config:/config depends_on: