Configuring Basic Secure Caddy Reverse Proxy

Preface

Example of secure Caddy reverse-proxy configuration.

Prerequisite

• The Caddyserver been installed properly;
• The Caddyserver able to access the app you want to put behind reverse proxy.

Procedure

{
email [email protected]
}

(static) {
  @static {
    path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2 *.json
  }
  header @static cache-control max-age=5184000
}

(security) {
  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    X-XSS-Protection "1; mode=block"
    Referrer-Policy "no-referrer-when-downgrade"
    -Server
    -X-Powered-By
  }
}

app.ndkprd.com {

  # Imported configuration
  import security
  import static

  # TLS Configurations
  tls /etc/ssl/certificate.crt /etc/ssl/certificate.key

  # Server Configurations
  reverse_proxy 127.0.0.1:80

  # Compression configuration
  encode gzip
}

Conclusion

Probably more than enough to close common web vulnerability. Probably need Content-Security-Policy though.

References

• header (Caddyfile directive) — Caddy Documentation (caddyserver.com)