88 admin off
99 persist_config off
1010
11- # Trust private network ranges for Fly.io
1211 servers {
1312 trusted_proxies static private_ranges
1413 }
2221
2322# ── Site Block ────────────────────────────────────────────────────────────────
2423:80 {
25- # Block only if (NOT /health) AND (domain NOT in whitelist)
26- @blocked {
27- not path /health
28- not host {$CADDY_DOMAINS:* }
24+ # Explicitly handle health checks
25+ handle /health {
26+ respond "OK" 200
2927 }
30- abort @blocked
3128
32- # Reverse proxy to application
29+ # Domain Whitelist Enforcement
30+ # If CADDY_DOMAINS is set, block everything else
31+ @outside_domain {
32+ expression `{env.CADDY_DOMAINS} != ""`
33+ not host {$CADDY_DOMAINS}
34+ }
35+ handle @outside_domain {
36+ respond "Access Denied: Domain not allowed" 403
37+ }
38+
39+ # Main application handling
3340 handle {
3441 encode zstd gzip
3542
36- # Security headers
3743 header {
38- # Infrastructure security
3944 Strict-Transport-Security "max-age=31536000;"
4045 X-Content-Type-Options "nosniff"
4146 X-Frame-Options "DENY"
4247 X-XSS-Protection "1; mode=block"
43-
44- # Privacy & Permissions
4548 Referrer-Policy "strict-origin-when-cross-origin"
4649 Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
4750 X-Robots-Tag "noindex, nofollow"
48-
49- # Fingerprint removal
5051 -Server
5152 -X-Powered-By
5253 -Last-Modified
5354 }
5455
5556 reverse_proxy localhost:8080 {
56- header_up X-Real-IP {http.request.header.Fly-Client-IP:{remote_host} }
57- header_up X-Forwarded-For {http.request.header.Fly-Client-IP:{remote_host} }
57+ header_up X-Real-IP {http.request.header.Fly-Client-IP}
58+ header_up X-Forwarded-For {http.request.header.Fly-Client-IP}
5859 }
5960 }
6061}
0 commit comments