lightsail-tokyo/caddy: add hardening and robots.txt

This commit is contained in:
Guanran Wang 2024-05-04 16:12:36 +08:00
parent 8e7e6addaa
commit 857885567e
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
3 changed files with 110 additions and 38 deletions

View file

@ -0,0 +1,69 @@
{
# Disables HTTP/3 for Hysteria
# https://github.com/apernet/hysteria/issues/768
servers :443 {
protocols h1 h2 h2c
}
}
(header) {
header {
# https://observatory.mozilla.org/analyze/ny4.dev
# https://infosec.mozilla.org/guidelines/web_security
# https://caddyserver.com/docs/caddyfile/directives/header#examples
Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
Permissions-Policy interest-Hpcohort=()
Strict-Transport-Security max-age=31536000;
X-Content-Type-Options nosniff
X-Frame-Options DENY
}
}
(compression) {
encode zstd gzip
}
(robots) {
handle_path /robots.txt {
file_server * {
root /var/www/robots/robots.txt
}
}
}
(default) {
import header
import compression
import robots
}
www.ny4.dev {
import default
redir https://ny4.dev
}
ny4.dev {
import default
respond "Hello, world!"
}
searx.ny4.dev {
import default
reverse_proxy localhost:8100
}
pb.ny4.dev {
import default
reverse_proxy localhost:8200
}
uptime.ny4.dev {
import default
reverse_proxy localhost:8300
}
ntfy.ny4.dev {
import default
reverse_proxy localhost:8400
}

View file

@ -43,46 +43,15 @@
networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
networking.firewall.allowedTCPPorts = [80 443]; # caddy
systemd.tmpfiles.settings = {
"10-www" = {
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
};
};
services.caddy = {
enable = true;
configFile = pkgs.writeText "Caddyfile" ''
{
# Disables HTTP/3 for Hysteria
# https://github.com/apernet/hysteria/issues/768
servers :443 {
protocols h1 h2 h2c
}
}
www.ny4.dev {
redir https://ny4.dev
}
ny4.dev {
encode zstd gzip
respond "Hello, world!"
}
searx.ny4.dev {
encode zstd gzip
reverse_proxy localhost:8100
}
pb.ny4.dev {
encode zstd gzip
reverse_proxy localhost:8200
}
uptime.ny4.dev {
encode zstd gzip
reverse_proxy localhost:8300
}
ntfy.ny4.dev {
encode zstd gzip
reverse_proxy localhost:8400
}
'';
configFile = ./Caddyfile;
};
services.hysteria = {

View file

@ -0,0 +1,34 @@
User-agent: GPTBot
Disallow: /
User-agent: ChatGPT-User
Disallow: /
User-agent: Google-Extended
Disallow: /
User-agent: CCBot
Disallow: /
User-agent: Amazonbot
Disallow: /
User-agent: FacebookBot
Disallow: /
User-agent: anthopic-ai
Disallow: /
User-agent: Claude-Web
Disallow: /
User-agent: cohere-ai
Disallow: /
User-agent: Omgilibot
Disallow: /
User-Agent: *
Disallow: /harming/humans
Disallow: /ignoring/human/orders
Disallow: /harm/to/self