lightsail-tokyo/caddy: add hardening and robots.txt
This commit is contained in:
parent
8e7e6addaa
commit
857885567e
GPG key ID:
91F97D9ED12639CF
3 changed files with 110 additions and 38 deletions
69
hosts/lightsail-tokyo/Caddyfile
Normal file
69
hosts/lightsail-tokyo/Caddyfile
Normal file
|
|
@ -0,0 +1,69 @@
|
|||
{
|
||||
# Disables HTTP/3 for Hysteria
|
||||
# https://github.com/apernet/hysteria/issues/768
|
||||
servers :443 {
|
||||
protocols h1 h2 h2c
|
||||
}
|
||||
}
|
||||
|
||||
(header) {
|
||||
header {
|
||||
# https://observatory.mozilla.org/analyze/ny4.dev
|
||||
# https://infosec.mozilla.org/guidelines/web_security
|
||||
# https://caddyserver.com/docs/caddyfile/directives/header#examples
|
||||
|
||||
Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
|
||||
Permissions-Policy interest-Hpcohort=()
|
||||
Strict-Transport-Security max-age=31536000;
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options DENY
|
||||
}
|
||||
}
|
||||
|
||||
(compression) {
|
||||
encode zstd gzip
|
||||
}
|
||||
|
||||
(robots) {
|
||||
handle_path /robots.txt {
|
||||
file_server * {
|
||||
root /var/www/robots/robots.txt
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
(default) {
|
||||
import header
|
||||
import compression
|
||||
import robots
|
||||
}
|
||||
|
||||
www.ny4.dev {
|
||||
import default
|
||||
redir https://ny4.dev
|
||||
}
|
||||
|
||||
ny4.dev {
|
||||
import default
|
||||
respond "Hello, world!"
|
||||
}
|
||||
|
||||
searx.ny4.dev {
|
||||
import default
|
||||
reverse_proxy localhost:8100
|
||||
}
|
||||
|
||||
pb.ny4.dev {
|
||||
import default
|
||||
reverse_proxy localhost:8200
|
||||
}
|
||||
|
||||
uptime.ny4.dev {
|
||||
import default
|
||||
reverse_proxy localhost:8300
|
||||
}
|
||||
|
||||
ntfy.ny4.dev {
|
||||
import default
|
||||
reverse_proxy localhost:8400
|
||||
}
|
||||
|
|
@ -43,46 +43,15 @@
|
|||
networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
|
||||
networking.firewall.allowedTCPPorts = [80 443]; # caddy
|
||||
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-www" = {
|
||||
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
|
||||
};
|
||||
};
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
configFile = pkgs.writeText "Caddyfile" ''
|
||||
{
|
||||
# Disables HTTP/3 for Hysteria
|
||||
# https://github.com/apernet/hysteria/issues/768
|
||||
servers :443 {
|
||||
protocols h1 h2 h2c
|
||||
}
|
||||
}
|
||||
|
||||
www.ny4.dev {
|
||||
redir https://ny4.dev
|
||||
}
|
||||
|
||||
ny4.dev {
|
||||
encode zstd gzip
|
||||
respond "Hello, world!"
|
||||
}
|
||||
|
||||
searx.ny4.dev {
|
||||
encode zstd gzip
|
||||
reverse_proxy localhost:8100
|
||||
}
|
||||
|
||||
pb.ny4.dev {
|
||||
encode zstd gzip
|
||||
reverse_proxy localhost:8200
|
||||
}
|
||||
|
||||
uptime.ny4.dev {
|
||||
encode zstd gzip
|
||||
reverse_proxy localhost:8300
|
||||
}
|
||||
|
||||
ntfy.ny4.dev {
|
||||
encode zstd gzip
|
||||
reverse_proxy localhost:8400
|
||||
}
|
||||
'';
|
||||
configFile = ./Caddyfile;
|
||||
};
|
||||
|
||||
services.hysteria = {
|
||||
|
|
|
|||
34
hosts/lightsail-tokyo/robots.txt
Normal file
34
hosts/lightsail-tokyo/robots.txt
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
User-agent: GPTBot
|
||||
Disallow: /
|
||||
|
||||
User-agent: ChatGPT-User
|
||||
Disallow: /
|
||||
|
||||
User-agent: Google-Extended
|
||||
Disallow: /
|
||||
|
||||
User-agent: CCBot
|
||||
Disallow: /
|
||||
|
||||
User-agent: Amazonbot
|
||||
Disallow: /
|
||||
|
||||
User-agent: FacebookBot
|
||||
Disallow: /
|
||||
|
||||
User-agent: anthopic-ai
|
||||
Disallow: /
|
||||
|
||||
User-agent: Claude-Web
|
||||
Disallow: /
|
||||
|
||||
User-agent: cohere-ai
|
||||
Disallow: /
|
||||
|
||||
User-agent: Omgilibot
|
||||
Disallow: /
|
||||
|
||||
User-Agent: *
|
||||
Disallow: /harming/humans
|
||||
Disallow: /ignoring/human/orders
|
||||
Disallow: /harm/to/self
|
||||
Loading…
Reference in a new issue