mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
503ef163f4
The value of the header was set to the IP address of a machine inside GCP rather than the the actual client IP address. To ensure that the header contains the actual client IP address, this header is now set at the GCP load balancer.
117 lines
2.9 KiB
Caddyfile
117 lines
2.9 KiB
Caddyfile
{
|
|
auto_https off
|
|
admin off
|
|
servers {
|
|
# gprc service required this, see detail https://github.com/gitpod-io/gitpod/pull/11542#discussion_r937947826
|
|
# https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/app.go#L199
|
|
protocols h1 h2 h2c
|
|
}
|
|
}
|
|
|
|
# configure headers to force HTTPS and enable more strict rules for the browser
|
|
(security_headers) {
|
|
header {
|
|
# enable HSTS
|
|
Strict-Transport-Security max-age=31536000
|
|
# disable clients from sniffing the media type
|
|
X-Content-Type-Options nosniff
|
|
# Define valid parents that may embed a page
|
|
Content-Security-Policy "frame-ancestors 'self' https://*.{$GITPOD_DOMAIN} https://{$GITPOD_DOMAIN}"
|
|
# keep referrer data off of HTTP connections
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
defer # delay changes
|
|
}
|
|
}
|
|
|
|
(compression) {
|
|
encode zstd gzip
|
|
}
|
|
|
|
(upstream_connection) {
|
|
lb_try_duration 1s
|
|
}
|
|
|
|
:80 {
|
|
import security_headers
|
|
header -Server
|
|
|
|
@blobserve path /blobserve/*
|
|
handle @blobserve {
|
|
import compression
|
|
|
|
uri strip_prefix /blobserve
|
|
uri replace /__files__/ / 1
|
|
|
|
header {
|
|
Access-Control-Allow-Origin *
|
|
Access-Control-Allow-Methods "GET, OPTIONS"
|
|
Cross-Origin-Resource-Policy cross-origin
|
|
Vary Origin
|
|
}
|
|
|
|
reverse_proxy blobserve.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:4000 {
|
|
import upstream_connection
|
|
}
|
|
}
|
|
|
|
root * /www
|
|
file_server {
|
|
precompressed gzip br
|
|
}
|
|
|
|
rewrite /static/bin/gitpod-local-companion-linux /static/bin/gitpod-local-companion-linux-amd64
|
|
rewrite /static/bin/gitpod-local-companion-darwin /static/bin/gitpod-local-companion-darwin-amd64
|
|
rewrite /static/bin/gitpod-local-companion-windows.exe /static/bin/gitpod-local-companion-windows-amd64.exe
|
|
rewrite /static/bin/gitpod-local-companion-linux.gz /static/bin/gitpod-local-companion-linux-amd64.gz
|
|
rewrite /static/bin/gitpod-local-companion-darwin.gz /static/bin/gitpod-local-companion-darwin-amd64.gz
|
|
rewrite /static/bin/gitpod-local-companion-windows.exe.gz /static/bin/gitpod-local-companion-windows-amd64.exe.gz
|
|
|
|
@bin_asset {
|
|
file
|
|
path /static/bin/*
|
|
}
|
|
|
|
header @bin_asset {
|
|
Content-Type application/octet-stream
|
|
Content-Disposition attachment
|
|
# static assets configure cache headers
|
|
Cache-Control "public, max-age=600"
|
|
}
|
|
|
|
@static_path {
|
|
path /code/* /image/* /static/*
|
|
}
|
|
|
|
handle @static_path {
|
|
try_files {path}
|
|
# static assets configure cache headers and do not check for changes
|
|
header {
|
|
Cache-Control "public, max-age=31536000"
|
|
Access-Control-Allow-Origin *
|
|
# remove Last-Modified header
|
|
-Last-Modified
|
|
}
|
|
}
|
|
|
|
@metrics_web {
|
|
path /metrics-api/*
|
|
}
|
|
|
|
handle @metrics_web {
|
|
reverse_proxy ide-metrics.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000
|
|
}
|
|
|
|
handle {
|
|
reverse_proxy h2c://ide-metrics.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000
|
|
}
|
|
}
|
|
|
|
# health-check
|
|
:8080 {
|
|
respond /live 200
|
|
respond /ready 200
|
|
}
|