34 lines
1017 B
Django/Jinja
34 lines
1017 B
Django/Jinja
# Authentik Caddy Configuration - Rick-Infra
|
|
# Generated by Ansible Authentik role
|
|
# Deployed to {{ caddy_sites_enabled_dir }}/authentik.caddy
|
|
|
|
{{ authentik_full_domain }} {
|
|
# Reverse proxy to Authentik
|
|
reverse_proxy 127.0.0.1:{{ authentik_http_port }}
|
|
|
|
# Security headers for authentication service
|
|
header {
|
|
# Enable HSTS
|
|
Strict-Transport-Security max-age=31536000;
|
|
# Prevent embedding in frames
|
|
X-Frame-Options DENY
|
|
# Prevent content type sniffing
|
|
X-Content-Type-Options nosniff
|
|
# XSS protection
|
|
X-XSS-Protection "1; mode=block"
|
|
# Referrer policy for privacy
|
|
Referrer-Policy strict-origin-when-cross-origin
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output file /var/log/caddy/authentik_access.log
|
|
}
|
|
|
|
# Optional: Custom error pages
|
|
handle_errors {
|
|
respond "Authentication service temporarily unavailable" 503
|
|
}
|
|
}
|
|
|
|
# Rick-Infra: Containerized Authentik authentication service with Caddy reverse proxy |