Skip to content

Commit 8343b5a

Browse files
committed
fix: use explicit expression for domain blocking and improve IP forwarding
1 parent b80bbbe commit 8343b5a

1 file changed

Lines changed: 16 additions & 15 deletions

File tree

config/Caddyfile

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@
88
admin off
99
persist_config off
1010

11-
# Trust private network ranges for Fly.io
1211
servers {
1312
trusted_proxies static private_ranges
1413
}
@@ -22,39 +21,41 @@
2221

2322
# ── Site Block ────────────────────────────────────────────────────────────────
2423
:80 {
25-
# Block only if (NOT /health) AND (domain NOT in whitelist)
26-
@blocked {
27-
not path /health
28-
not host {$CADDY_DOMAINS:*}
24+
# Explicitly handle health checks
25+
handle /health {
26+
respond "OK" 200
2927
}
30-
abort @blocked
3128

32-
# Reverse proxy to application
29+
# Domain Whitelist Enforcement
30+
# If CADDY_DOMAINS is set, block everything else
31+
@outside_domain {
32+
expression `{env.CADDY_DOMAINS} != ""`
33+
not host {$CADDY_DOMAINS}
34+
}
35+
handle @outside_domain {
36+
respond "Access Denied: Domain not allowed" 403
37+
}
38+
39+
# Main application handling
3340
handle {
3441
encode zstd gzip
3542

36-
# Security headers
3743
header {
38-
# Infrastructure security
3944
Strict-Transport-Security "max-age=31536000;"
4045
X-Content-Type-Options "nosniff"
4146
X-Frame-Options "DENY"
4247
X-XSS-Protection "1; mode=block"
43-
44-
# Privacy & Permissions
4548
Referrer-Policy "strict-origin-when-cross-origin"
4649
Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
4750
X-Robots-Tag "noindex, nofollow"
48-
49-
# Fingerprint removal
5051
-Server
5152
-X-Powered-By
5253
-Last-Modified
5354
}
5455

5556
reverse_proxy localhost:8080 {
56-
header_up X-Real-IP {http.request.header.Fly-Client-IP:{remote_host}}
57-
header_up X-Forwarded-For {http.request.header.Fly-Client-IP:{remote_host}}
57+
header_up X-Real-IP {http.request.header.Fly-Client-IP}
58+
header_up X-Forwarded-For {http.request.header.Fly-Client-IP}
5859
}
5960
}
6061
}

0 commit comments

Comments
 (0)