273f0632be
- Production compose stack with postgres, web, worker, caddy services (D-01..D-04, D-08)
- postgres service has no host ports binding (internal network only, T-07-09 mitigated)
- web and worker use same image with different command: values (/app/web, /app/worker)
- Both web and worker depend_on postgres with service_healthy condition (T-07-12 mitigated)
- Caddy handles TLS via Let's Encrypt with persistent caddy_data and caddy_config volumes (D-04)
- Caddyfile uses {$DOMAIN} env var interpolation for the site block (RESEARCH Pattern 6)
- Caddyfile includes Let's Encrypt staging note to avoid rate limits (RESEARCH Pitfall 4)
26 lines
1 KiB
Caddyfile
26 lines
1 KiB
Caddyfile
# Caddy reverse proxy configuration for Xtablo production.
|
|
#
|
|
# Caddy automatically:
|
|
# - Provisions a TLS certificate via Let's Encrypt (ACME) when a domain name is provided.
|
|
# - Redirects HTTP (port 80) to HTTPS (port 443).
|
|
# - Renews the certificate before it expires.
|
|
#
|
|
# Required environment variable:
|
|
# DOMAIN — set this to your production domain in .env.prod (e.g. app.yourdomain.com).
|
|
# Caddy reads {$DOMAIN} from the environment at startup.
|
|
#
|
|
# Let's Encrypt staging note (RESEARCH Pitfall 4):
|
|
# Let's Encrypt enforces rate limits (5 duplicate certificates per week per domain).
|
|
# For initial setup and testing, add a global block to use the staging endpoint:
|
|
#
|
|
# {
|
|
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
|
|
# }
|
|
#
|
|
# Remove the global block (or comment it out) before going live to switch to
|
|
# production certificates. The caddy_data volume must be cleared between staging
|
|
# and production to avoid certificate cache conflicts.
|
|
|
|
{$DOMAIN} {
|
|
reverse_proxy web:8080
|
|
}
|