feat: add recommended Caddyfile and update usage guide for production configuration

2026-03-02 22:06:27 -06:00
parent 3c86890983
commit 96214654d0
5 changed files with 168 additions and 12 deletions
--- a/setup/nginx-to-caddy/Caddyfile.recommended
+++ b/setup/nginx-to-caddy/Caddyfile.recommended
@@ -0,0 +1,130 @@
+# Recommended Caddy baseline for the current homelab reverse-proxy estate.
+# Source upstreams were derived from setup/nginx-to-caddy/oldconfig/*.conf.
+#
+# If your public suffix changes (for example sintheus.com -> privacyindesign.com),
+# update the hostnames below before deployment.
+{
+	# DNS-01 certificates through Cloudflare.
+	# Requires CF_API_TOKEN in Caddy runtime environment.
+	acme_dns cloudflare {env.CF_API_TOKEN}
+
+	# Trust private-range proxy hops in LAN environments.
+	servers {
+		trusted_proxies static private_ranges
+		protocols h1 h2 h3
+	}
+}
+
+(common_security) {
+	encode zstd gzip
+
+	header {
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "SAMEORIGIN"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		-Server
+	}
+}
+
+(proxy_headers) {
+	# Keep Nginx parity for backends that consume Host and X-Real-IP.
+	header_up Host {host}
+	header_up X-Real-IP {remote_host}
+}
+
+(proxy_streaming) {
+	import proxy_headers
+	# Flush immediately for streaming/log-tail/websocket-heavy UIs.
+	flush_interval -1
+}
+
+ai.sintheus.com {
+	import common_security
+
+	request_body {
+		max_size 50MB
+	}
+
+	reverse_proxy http://192.168.1.82:8181 {
+		import proxy_streaming
+	}
+}
+
+photos.sintheus.com {
+	import common_security
+
+	request_body {
+		max_size 50GB
+	}
+
+	reverse_proxy http://192.168.1.222:2283 {
+		import proxy_headers
+	}
+}
+
+fin.sintheus.com {
+	import common_security
+
+	reverse_proxy http://192.168.1.233:8096 {
+		import proxy_streaming
+	}
+}
+
+disk.sintheus.com {
+	import common_security
+
+	request_body {
+		max_size 20GB
+	}
+
+	reverse_proxy http://192.168.1.52:80 {
+		import proxy_headers
+	}
+}
+
+pi.sintheus.com {
+	import common_security
+
+	reverse_proxy http://192.168.1.4:80 {
+		import proxy_headers
+	}
+}
+
+plex.sintheus.com {
+	import common_security
+
+	reverse_proxy http://192.168.1.111:32400 {
+		import proxy_streaming
+	}
+}
+
+sync.sintheus.com {
+	import common_security
+
+	reverse_proxy http://192.168.1.119:8384 {
+		import proxy_headers
+	}
+}
+
+syno.sintheus.com {
+	import common_security
+
+	reverse_proxy https://100.108.182.16:5001 {
+		import proxy_headers
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+
+tower.sintheus.com {
+	import common_security
+
+	reverse_proxy https://192.168.1.82:443 {
+		import proxy_headers
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}