-
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathCaddyfile
More file actions
107 lines (91 loc) · 5.07 KB
/
Caddyfile
File metadata and controls
107 lines (91 loc) · 5.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
flompt.dev {
# Enable compression
encode gzip zstd
# ── Blog (static export) ─────────────────────────────────────
handle_path /blog* {
root * /projects/flompt/blog/out
try_files {path} {path}.html {path}/index.html /index.html
file_server
}
# ── API routes → FastAPI backend (matched FIRST) ─────────────
handle /api/* {
reverse_proxy 127.0.0.1:8000
}
handle /health {
reverse_proxy 127.0.0.1:8000
}
handle /stars-svg {
reverse_proxy 127.0.0.1:8000
}
# ── MCP Server → FastAPI backend (streamable HTTP) ────────────
# Endpoint : POST https://flompt.dev/mcp/
# Config Claude Code : { "mcpServers": { "flompt": { "type": "http", "url": "https://flompt.dev/mcp/" } } }
# flush_interval -1 = streaming without buffering (required for SSE/streamable HTTP)
handle /mcp/* {
header X-Robots-Tag "noindex, nofollow"
reverse_proxy 127.0.0.1:8000 {
flush_interval -1
}
}
# Redirect /mcp → /mcp/ to avoid upstream 307s
handle /mcp {
redir /mcp/ 308
}
# ── Docs → GitBook ───────────────────────────────────────────
handle_path /docs* {
rewrite * /docs{path}
reverse_proxy https://hamzas-organization-18.gitbook.io {
header_up Host hamzas-organization-18.gitbook.io
header_up X-Forwarded-Host flompt.dev
}
}
# ── App SPA → /app ───────────────────────────────────────────
handle_path /app* {
root * /projects/flompt/app/dist
try_files {path} {path}/index.html /index.html
file_server {
precompressed gzip
}
}
# ── Landing page (catch-all) ─────────────────────────────────
handle {
root * /projects/flompt/landing
try_files {path} {path}.html {path}/index.html /index.html
file_server
}
# ── Security headers (all routes except /docs* and /app*) ───────
# /app* is handled separately to allow framing by the extension
@notdocs not path /docs* /app*
header @notdocs {
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection "1; mode=block"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://www.google-analytics.com https://stats.g.doubleclick.net https://avatars.githubusercontent.com; connect-src 'self' https://flompt.dev https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://analytics.google.com https://stats.g.doubleclick.net https://region1.google-analytics.com; frame-src https://demo.arcade.software;"
}
# ── Security headers for /app* — framing allowed from extensions ──
@app path /app*
header @app {
X-Content-Type-Options nosniff
X-XSS-Protection "1; mode=block"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://www.google-analytics.com https://stats.g.doubleclick.net https://avatars.githubusercontent.com; connect-src 'self' https://flompt.dev https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://analytics.google.com https://stats.g.doubleclick.net https://region1.google-analytics.com; frame-ancestors https://chatgpt.com https://chat.openai.com https://claude.ai https://gemini.google.com chrome-extension:;"
}
# ── HSTS global (all routes) ───────────────────────────────
header {
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
# ── Cache: static assets with hashed names → long cache ──────
@static path /app/assets/*
header @static Cache-Control "public, max-age=31536000, immutable"
# ── Cache: images/favicons → 1 week ──────────────────────────
@images path *.png *.svg *.ico *.webp
header @images Cache-Control "public, max-age=604800"
# ── Cache: webmanifest & sitemap → 1 day ─────────────────────
@meta path /site.webmanifest /sitemap.xml /robots.txt
header @meta Cache-Control "public, max-age=86400"
# ── Cache: HTML → no-cache (always revalidate) ───────────────
@html path /index.html / /privacy /privacy.html /terms /terms.html /about /about.html
header @html Cache-Control "no-cache, must-revalidate"
}