all repos — homestead @ b1d7005b034ac62dc850377155520a68a018e24e

Code for my website

Use fly proxy for TLS termination, using h2c

Alan Pearce
commit

b1d7005b034ac62dc850377155520a68a018e24e

parent

bc2a5e5e1fbdfb33f37e9f1f5ee1bd78d78eac9b

3 files changed, 41 insertions(+), 23 deletions(-)

jump to
M CaddyfileCaddyfile
@@ -1,16 +1,26 @@
 {
 	admin off
 	persist_config off
-	http_port 8080
+	auto_https disable_redirects
+	acme_ca https://acme.zerossl.com/v2/DV90
+	storage redis {
+	}
+	servers :80 {
+		protocols h1 h2c
+		trusted_proxies static private_ranges
+	}
 }
 
 :9091 {
 	metrics
 }
 
+http://,
+http://alanpearce.uk,
+http://www.alanpearce.uk,
 http://www.alanpearce.eu {
 	header Cache-Control max-age=31536000
-	redir https://alanpearce.eu{uri}
+	redir https://alanpearce.eu{uri} permanent
 }
 
 http://alanpearce.eu {

@@ -37,4 +47,7 @@ error /feed-styles/index.html* 404
 	respond /favicon.ico 204
 	redir /index.xml /atom.xml
 	redir /post/index.xml /atom.xml
+
+	@http header X-Forwarded-Proto http
+	redir @http https://alanpearce.eu{uri}
 }
M DockerfileDockerfile
@@ -1,9 +1,18 @@
-FROM docker.io/caddy:2-alpine
+ARG VERSION=2.6
+ARG VARIANT=alpine
+
+FROM docker.io/caddy:${VERSION}-builder-${VARIANT} AS builder
+
+RUN xcaddy build \
+    --with github.com/gamalan/caddy-tlsredis
+
+FROM docker.io/caddy:${VERSION}-${VARIANT}
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
 
 COPY Caddyfile /etc/caddy/
 COPY public /srv
 
 EXPOSE 9091/tcp
-EXPOSE 8080/tcp
 
 ENV SITE_ROOT=/srv
M fly.tomlfly.toml
@@ -1,5 +1,3 @@
-# fly.toml file generated for alanpearce-eu on 2023-06-30T19:28:33+02:00
-
 app = "alanpearce-eu"
 kill_signal = "SIGINT"
 kill_timeout = 5

@@ -10,22 +8,20 @@ port = 9091
   path = "/metrics"
 
 [env]
+  CADDY_CLUSTERING_REDIS_HOST = "fly-caddy-storage.upstash.io"
   SITE_ROOT = "/srv"
 
-[http_service]
-  internal_port = 8080
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 1
-  [http_service.concurrency]
-    type = "requests"
-    soft_limit = 2000
-    hard_limit = 2500
-  [[http_service.checks]]
-    grace_period = "10s"
-    interval = "30s"
-    method = "GET"
-    timeout = "5s"
-    path = "/"
-
+[[services]]
+  internal_port = 80
+  protocol = "tcp"
+  [services.concurrency]
+    type = "connections"
+    hard_limit = 25
+    soft_limit = 20
+  [[services.ports]]
+    handlers = ["http"]
+    port = 80
+  [[services.ports]]
+    handlers = ["tls"]
+    port = "443"
+    tls_options = { "alpn" = ["h2"] }