From b180e25232ba4fd943c5eb5ff6ca0a1d70ee7e16 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 2 Jul 2023 09:05:52 +0200 Subject: Use fly proxy for TLS termination, using h2c --- Caddyfile | 17 +++++++++++++++-- Dockerfile | 13 +++++++++++-- fly.toml | 34 +++++++++++++++------------------- 3 files changed, 41 insertions(+), 23 deletions(-) diff --git a/Caddyfile b/Caddyfile index 576a1d0..a53abba 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,16 +1,26 @@ { admin off persist_config off - http_port 8080 + auto_https disable_redirects + acme_ca https://acme.zerossl.com/v2/DV90 + storage redis { + } + servers :80 { + protocols h1 h2c + trusted_proxies static private_ranges + } } :9091 { metrics } +http://, +http://alanpearce.uk, +http://www.alanpearce.uk, http://www.alanpearce.eu { header Cache-Control max-age=31536000 - redir https://alanpearce.eu{uri} + redir https://alanpearce.eu{uri} permanent } http://alanpearce.eu { @@ -37,4 +47,7 @@ http://alanpearce.eu { respond /favicon.ico 204 redir /index.xml /atom.xml redir /post/index.xml /atom.xml + + @http header X-Forwarded-Proto http + redir @http https://alanpearce.eu{uri} } diff --git a/Dockerfile b/Dockerfile index bf01304..ca10c88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,18 @@ -FROM docker.io/caddy:2-alpine +ARG VERSION=2.6 +ARG VARIANT=alpine + +FROM docker.io/caddy:${VERSION}-builder-${VARIANT} AS builder + +RUN xcaddy build \ + --with github.com/gamalan/caddy-tlsredis + +FROM docker.io/caddy:${VERSION}-${VARIANT} + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy COPY Caddyfile /etc/caddy/ COPY public /srv EXPOSE 9091/tcp -EXPOSE 8080/tcp ENV SITE_ROOT=/srv diff --git a/fly.toml b/fly.toml index e6363d2..1bc1440 100644 --- a/fly.toml +++ b/fly.toml @@ -1,5 +1,3 @@ -# fly.toml file generated for alanpearce-eu on 2023-06-30T19:28:33+02:00 - app = "alanpearce-eu" kill_signal = "SIGINT" kill_timeout = 5 @@ -10,22 +8,20 @@ primary_region = "ams" path = "/metrics" [env] + CADDY_CLUSTERING_REDIS_HOST = "fly-caddy-storage.upstash.io" SITE_ROOT = "/srv" -[http_service] - internal_port = 8080 - force_https = true - auto_stop_machines = true - auto_start_machines = true - min_machines_running = 1 - [http_service.concurrency] - type = "requests" - soft_limit = 2000 - hard_limit = 2500 - [[http_service.checks]] - grace_period = "10s" - interval = "30s" - method = "GET" - timeout = "5s" - path = "/" - +[[services]] + internal_port = 80 + protocol = "tcp" + [services.concurrency] + type = "connections" + hard_limit = 25 + soft_limit = 20 + [[services.ports]] + handlers = ["http"] + port = 80 + [[services.ports]] + handlers = ["tls"] + port = "443" + tls_options = { "alpn" = ["h2"] } -- cgit 1.4.1