From 07fbb7af2cc4dfae19dda7f9e7da675cb8e8aed3 Mon Sep 17 00:00:00 2001 From: qadamscqueezy Date: Thu, 15 Jan 2026 20:36:31 +0100 Subject: [PATCH] update caddy file --- frankenphp/Caddyfile | 108 ++++++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 47 deletions(-) diff --git a/frankenphp/Caddyfile b/frankenphp/Caddyfile index df0b711..62d420a 100644 --- a/frankenphp/Caddyfile +++ b/frankenphp/Caddyfile @@ -1,65 +1,79 @@ { - skip_install_trust - - {$CADDY_GLOBAL_OPTIONS} - + # Global options frankenphp { - {$FRANKENPHP_CONFIG} - - worker { - file ./public/index.php - env APP_RUNTIME Runtime\FrankenPhpSymfony\Runtime - {$FRANKENPHP_WORKER_CONFIG} - } + # Number of workers for better performance + num_threads {$NUM_THREADS:4} } + + # Order directives properly + order mercure after encode + order php_server before file_server } -{$CADDY_EXTRA_CONFIG} +# HTTP server - HTTPS is handled by caddy-proxy +{$SERVER_NAME:80} { + # Root directory + root * /app/public -{$SERVER_NAME:localhost} { - log { - {$CADDY_SERVER_LOG_OPTIONS} - # Redact the authorization query parameter that can be set by Mercure - format filter { - request>uri query { - replace authorization REDACTED - } - } - } - - root /app/public - encode zstd br gzip + # Enable compression + encode zstd gzip + # Mercure hub configuration (built-in) mercure { # Publisher JWT key - publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG} + publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} { + algorithm hs256 + } # Subscriber JWT key - subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG} - # Allow anonymous subscribers (double-check that it's what you want) + subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} { + algorithm hs256 + } + # Allow anonymous subscribers anonymous - # Enable the subscription API (double-check that it's what you want) - subscriptions - # Extra directives - {$MERCURE_EXTRA_DIRECTIVES} + # CORS configuration + cors_origins * } - vulcain - - {$CADDY_SERVER_EXTRA_DIRECTIVES} - - # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics - header ?Permissions-Policy "browsing-topics=()" - - @phpRoute { - not path /.well-known/mercure* - not file {path} + # Client max body size (for uploads) + request_body { + max_size 20MB } - rewrite @phpRoute index.php - @frontController path index.php - php @frontController + # Security: Deny access to sensitive directories + @forbidden { + path /bin/* /config/* /src/* /templates/* /tests/* /translations/* /var/* /vendor/* + } + handle @forbidden { + respond "Access Denied" 404 + } - file_server { - hide *.php + # Security: Deny access to dot files (except .well-known for Mercure) + @dotfiles { + path */.* + not path /.well-known/* + } + handle @dotfiles { + respond "Access Denied" 404 + } + + # Cache static assets (30 days) + @static { + path *.jpg *.jpeg *.png *.gif *.ico *.css *.js *.svg *.woff *.woff2 *.ttf *.eot *.xlsx + } + handle @static { + header Cache-Control "public, max-age=2592000, no-transform" + file_server + } + + # PHP FrankenPHP handler + php_server { + # Resolve symlinks + resolve_root_symlink + } + + # Logging + log { + output file /var/log/caddy/access.log + format json } }