Joakim
cf71fb3a8d
Major Changes: - Add dual SSH mode system (passthrough default, dedicated fallback) - Refactor domain configuration to use direct specification pattern - Fix critical fail2ban security gap in dedicated mode - Separate HTTP and SSH domains for cleaner Git URLs
33 lines
840 B
Django/Jinja
33 lines
840 B
Django/Jinja
# Gitea Caddy Configuration - Rick-Infra
|
|
# Generated by Ansible Gitea role
|
|
# Deployed to {{ caddy_sites_enabled_dir }}/gitea.caddy
|
|
|
|
{{ gitea_http_domain }} {
|
|
# Reverse proxy to Gitea
|
|
reverse_proxy 127.0.0.1:{{ gitea_http_port }}
|
|
|
|
# Security headers
|
|
header {
|
|
# Enable HSTS
|
|
Strict-Transport-Security max-age=31536000;
|
|
# Prevent embedding in frames
|
|
X-Frame-Options DENY
|
|
# Prevent content type sniffing
|
|
X-Content-Type-Options nosniff
|
|
# XSS protection
|
|
X-XSS-Protection "1; mode=block"
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output file /var/log/caddy/gitea_access.log
|
|
}
|
|
|
|
# Optional: Custom error pages
|
|
handle_errors {
|
|
respond "Git service temporarily unavailable" 503
|
|
}
|
|
}
|
|
|
|
# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy
|