From 962847fdc30ccb4318d0377bac90420de702e40c Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Mon, 17 Jun 2024 23:12:55 -0400
Subject: [PATCH 1/2] Uncomment media subdomain settings in Caddyfile

Now that a media subdomain is strongly recommended for security reasons,
there is no reason for them to be commented out by default.
---
 installation/caddy/Caddyfile | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/installation/caddy/Caddyfile b/installation/caddy/Caddyfile
index d50848207..6deee74d2 100644
--- a/installation/caddy/Caddyfile
+++ b/installation/caddy/Caddyfile
@@ -18,20 +18,18 @@ example.tld  {
   # and `localhost.` resolves to [::0] on some systems: see issue #930
   reverse_proxy 127.0.0.1:4000
 
-  # Uncomment if using a separate media subdomain
-  #@mediaproxy path /media/* /proxy/*
-  #handle @mediaproxy {
-  #  redir https://media.example.tld{uri} permanent
-  #}
+  @mediaproxy path /media/* /proxy/*
+  handle @mediaproxy {
+    redir https://media.example.tld{uri} permanent
+  }
 }
 
-# Uncomment if using a separate media subdomain
-#media.example.tld {
-#  @mediaproxy path /media/* /proxy/*
-#  reverse_proxy @mediaproxy 127.0.0.1:4000 {
-#    transport http {
-#      response_header_timeout 10s
-#      read_timeout 15s
-#    }
-#  }
-#}
+media.example.tld {
+  @mediaproxy path /media/* /proxy/*
+  reverse_proxy @mediaproxy 127.0.0.1:4000 {
+    transport http {
+      response_header_timeout 10s
+      read_timeout 15s
+    }
+  }
+}

From 51f09531c48427991a0b047498aec8e706797713 Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Mon, 17 Jun 2024 23:13:55 -0400
Subject: [PATCH 2/2] Disable gzip compression in Caddyfile

Currently Akkoma doesn't have any proper mitigations against BREACH,
which exploits the use of HTTP compression to exfiltrate sensitive data.
(see: https://akkoma.dev/AkkomaGang/akkoma/pulls/721#issuecomment-11487)

To err on the side of caution, disable gzip compression for now until we
can confirm that there's some sort of mitigation in place (whether that
would be Heal-The-Breach on the Caddy side or any Akkoma-side
mitigations).
---
 installation/caddy/Caddyfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/installation/caddy/Caddyfile b/installation/caddy/Caddyfile
index 6deee74d2..3322acc69 100644
--- a/installation/caddy/Caddyfile
+++ b/installation/caddy/Caddyfile
@@ -12,8 +12,6 @@ example.tld  {
     output file /var/log/caddy/akkoma.log
   }
 
-  encode gzip
-
   # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
   # and `localhost.` resolves to [::0] on some systems: see issue #930
   reverse_proxy 127.0.0.1:4000