mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
122 lines
3.0 KiB
Caddyfile
122 lines
3.0 KiB
Caddyfile
{
|
|
auto_https off
|
|
admin off
|
|
servers {
|
|
# gprc service required this, see detail https://github.com/gitpod-io/gitpod/pull/11542#discussion_r937947826
|
|
# https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/app.go#L199
|
|
protocols h1 h2 h2c
|
|
}
|
|
}
|
|
|
|
# configure headers to force HTTPS and enable more strict rules for the browser
|
|
(security_headers) {
|
|
header {
|
|
# enable HSTS
|
|
Strict-Transport-Security max-age=31536000
|
|
# disable clients from sniffing the media type
|
|
X-Content-Type-Options nosniff
|
|
# Define valid parents that may embed a page
|
|
Content-Security-Policy "frame-ancestors 'self' https://*.{$GITPOD_DOMAIN} https://{$GITPOD_DOMAIN}"
|
|
# keep referrer data off of HTTP connections
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
defer # delay changes
|
|
}
|
|
}
|
|
|
|
(compression) {
|
|
encode zstd gzip
|
|
}
|
|
|
|
(upstream_headers) {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
|
|
(upstream_connection) {
|
|
lb_try_duration 1s
|
|
}
|
|
|
|
:80 {
|
|
import security_headers
|
|
header -Server
|
|
|
|
@blobserve path /blobserve/*
|
|
handle @blobserve {
|
|
import compression
|
|
|
|
uri strip_prefix /blobserve
|
|
uri replace /__files__/ / 1
|
|
|
|
header {
|
|
Access-Control-Allow-Origin *
|
|
Access-Control-Allow-Methods "GET, OPTIONS"
|
|
Cross-Origin-Resource-Policy cross-origin
|
|
Vary Origin
|
|
}
|
|
|
|
reverse_proxy blobserve.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:4000 {
|
|
import upstream_headers
|
|
import upstream_connection
|
|
}
|
|
}
|
|
|
|
root * /www
|
|
file_server {
|
|
precompressed gzip br
|
|
}
|
|
|
|
rewrite /static/bin/gitpod-local-companion-linux /static/bin/gitpod-local-companion-linux-amd64
|
|
rewrite /static/bin/gitpod-local-companion-darwin /static/bin/gitpod-local-companion-darwin-amd64
|
|
rewrite /static/bin/gitpod-local-companion-windows.exe /static/bin/gitpod-local-companion-windows-amd64.exe
|
|
rewrite /static/bin/gitpod-local-companion-linux.gz /static/bin/gitpod-local-companion-linux-amd64.gz
|
|
rewrite /static/bin/gitpod-local-companion-darwin.gz /static/bin/gitpod-local-companion-darwin-amd64.gz
|
|
rewrite /static/bin/gitpod-local-companion-windows.exe.gz /static/bin/gitpod-local-companion-windows-amd64.exe.gz
|
|
|
|
@bin_asset {
|
|
file
|
|
path /static/bin/*
|
|
}
|
|
|
|
header @bin_asset {
|
|
Content-Type application/octet-stream
|
|
Content-Disposition attachment
|
|
# static assets configure cache headers
|
|
Cache-Control "public, max-age=600"
|
|
}
|
|
|
|
@static_path {
|
|
path /code/* /image/* /static/*
|
|
}
|
|
|
|
handle @static_path {
|
|
try_files {path}
|
|
# static assets configure cache headers and do not check for changes
|
|
header {
|
|
Cache-Control "public, max-age=31536000"
|
|
Access-Control-Allow-Origin *
|
|
# remove Last-Modified header
|
|
-Last-Modified
|
|
}
|
|
}
|
|
|
|
@metrics_web {
|
|
path /metrics-api/*
|
|
}
|
|
|
|
handle @metrics_web {
|
|
reverse_proxy ide-metrics.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000
|
|
}
|
|
|
|
handle {
|
|
reverse_proxy h2c://ide-metrics.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000
|
|
}
|
|
}
|
|
|
|
# health-check
|
|
:8080 {
|
|
respond /live 200
|
|
respond /ready 200
|
|
}
|