Norm
51f09531c4
Currently Akkoma doesn't have any proper mitigations against BREACH, which exploits the use of HTTP compression to exfiltrate sensitive data. (see: #721 (comment)) To err on the side of caution, disable gzip compression for now until we can confirm that there's some sort of mitigation in place (whether that would be Heal-The-Breach on the Caddy side or any Akkoma-side mitigations).
33 lines
1,012 B
Caddyfile
33 lines
1,012 B
Caddyfile
# default Caddyfile config for Akkoma
|
|
#
|
|
# Simple installation instructions:
|
|
# 1. Replace 'example.tld' with your instance's domain wherever it appears.
|
|
# 2. Copy this section into your Caddyfile and restart Caddy.
|
|
|
|
# If you are able to, it's highly recommended to have your media served via a separate subdomain for improved security.
|
|
# Uncomment the relevant sectons here and modify the base_url setting for Pleroma.Upload and :media_proxy accordingly.
|
|
|
|
example.tld {
|
|
log {
|
|
output file /var/log/caddy/akkoma.log
|
|
}
|
|
|
|
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
|
# and `localhost.` resolves to [::0] on some systems: see issue #930
|
|
reverse_proxy 127.0.0.1:4000
|
|
|
|
@mediaproxy path /media/* /proxy/*
|
|
handle @mediaproxy {
|
|
redir https://media.example.tld{uri} permanent
|
|
}
|
|
}
|
|
|
|
media.example.tld {
|
|
@mediaproxy path /media/* /proxy/*
|
|
reverse_proxy @mediaproxy 127.0.0.1:4000 {
|
|
transport http {
|
|
response_header_timeout 10s
|
|
read_timeout 15s
|
|
}
|
|
}
|
|
}
|