| 123456789101112131415161718192021222324252627282930 |
- {
- # Caddy sits behind HAProxy which passes raw TLS through on :8443.
- # ACME HTTP-01 challenges arrive on :80 via HAProxy's acl passthrough.
- http_port 80
- https_port 8443
-
- # HAProxy forwards connections to :8443 with a PROXY protocol v2
- # header (see haproxy.cfg `send-proxy-v2`). The proxy_protocol
- # listener wrapper strips the header and exposes the real client IP
- # to Caddy's access log. The `tls` wrapper must follow so that TLS
- # is terminated on the unwrapped connection.
- #
- # `allow` lists the networks permitted to send PROXY headers. These
- # ranges cover docker compose's default bridge networks; tighten
- # them if you pin a specific subnet in docker-compose.yml.
- servers :8443 {
- listener_wrappers {
- proxy_protocol {
- timeout 5s
- allow 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
- }
- tls
- }
- }
- }
-
- {$DOMAIN} {
- root * /srv
- file_server
- }
|
