88 admin off
99 persist_config off
1010
11- # Trust Fly.io private networking for accurate IP parsing
1211 servers {
1312 trusted_proxies static private_ranges
1413 }
2221
2322# ── Site Block ────────────────────────────────────────────────────────────────
2423:80 {
25- # Always allow health checks bypass for Fly.io monitoring
24+ # Always allow health checks bypass
2625 handle /health {
2726 respond "OK" 200
2827 }
2928
3029 # Domain Access Control
31- # Block requests if CADDY_DOMAINS is set and host doesn't match
3230 @outside_domain {
3331 expression `{env.CADDY_DOMAINS} != ""`
3432 not host {$CADDY_DOMAINS}
4139 handle {
4240 encode zstd gzip
4341
44- # Harden security posture
4542 header {
46- # Infrastructure protection
4743 Strict-Transport-Security "max-age=31536000;"
4844 X-Content-Type-Options "nosniff"
4945 X-Frame-Options "DENY"
5046 X-XSS-Protection "1; mode=block"
51-
52- # Privacy & Anti-tracking
5347 Referrer-Policy "strict-origin-when-cross-origin"
5448 Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
5549 X-Robots-Tag "noindex, nofollow"
56-
57- # Hide sensitive headers
5850 -Server
5951 -X-Powered-By
6052 -Last-Modified
6153 }
6254
63- # Proxy to the application backend
55+ # Proxy and debug request headers
6456 reverse_proxy 127.0.0.1:8080 {
57+ # Explicitly set headers
6558 header_up X-Real-IP {http.request.header.CF-Connecting-IP:{http.request.header.Fly-Client-IP:{remote_host}}}
6659 header_up X-Forwarded-For {http.request.header.CF-Connecting-IP:{http.request.header.Fly-Client-IP:{remote_host}}}
60+
61+ # Debug: print all relevant headers to Caddy stdout
62+ # header_up X-Debug-Headers "{http.request.headers.*}"
6763 }
6864 }
65+
66+ # Enable debug logging for headers
67+ log {
68+ output stdout
69+ format console
70+ # log HTTP request headers to debug mapping
71+ }
6972}
0 commit comments