| 123456789101112131415161718192021222324252627282930 |
- {
- # Caddy sits behind HAProxy which passes raw TLS through on :8443.
- # ACME HTTP-01 challenges arrive on :80 via HAProxy's acl passthrough.
- http_port 80
- https_port 8443
-
- # HAProxy forwards connections to :8443 with a PROXY protocol v2
- # header (see haproxy.cfg `send-proxy-v2`). The proxy_protocol
- # listener wrapper strips the header and exposes the real client IP
- # to Caddy's access log. The `tls` wrapper must follow so that TLS
- # is terminated on the unwrapped connection.
- #
- # `allow` lists the networks permitted to send PROXY headers.
- # HAProxy runs in the host netns and reaches Caddy via host loopback
- # (see docker-compose.yml), so the only legitimate peer is loopback.
- servers :8443 {
- listener_wrappers {
- proxy_protocol {
- timeout 5s
- allow 127.0.0.0/8 ::1/128
- }
- tls
- }
- }
- }
-
- {$DOMAIN} {
- root * /srv
- file_server
- }
|
