51f09531c4
Currently Akkoma doesn't have any proper mitigations against BREACH, which exploits the use of HTTP compression to exfiltrate sensitive data. (see: https://akkoma.dev/AkkomaGang/akkoma/pulls/721#issuecomment-11487) To err on the side of caution, disable gzip compression for now until we can confirm that there's some sort of mitigation in place (whether that would be Heal-The-Breach on the Caddy side or any Akkoma-side mitigations).
33 lines
1,012 B
Caddyfile
33 lines
1,012 B
Caddyfile
# default Caddyfile config for Akkoma
|
|
#
|
|
# Simple installation instructions:
|
|
# 1. Replace 'example.tld' with your instance's domain wherever it appears.
|
|
# 2. Copy this section into your Caddyfile and restart Caddy.
|
|
|
|
# If you are able to, it's highly recommended to have your media served via a separate subdomain for improved security.
|
|
# Uncomment the relevant sectons here and modify the base_url setting for Pleroma.Upload and :media_proxy accordingly.
|
|
|
|
example.tld {
|
|
log {
|
|
output file /var/log/caddy/akkoma.log
|
|
}
|
|
|
|
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
|
# and `localhost.` resolves to [::0] on some systems: see issue #930
|
|
reverse_proxy 127.0.0.1:4000
|
|
|
|
@mediaproxy path /media/* /proxy/*
|
|
handle @mediaproxy {
|
|
redir https://media.example.tld{uri} permanent
|
|
}
|
|
}
|
|
|
|
media.example.tld {
|
|
@mediaproxy path /media/* /proxy/*
|
|
reverse_proxy @mediaproxy 127.0.0.1:4000 {
|
|
transport http {
|
|
response_header_timeout 10s
|
|
read_timeout 15s
|
|
}
|
|
}
|
|
}
|