Initial commit

2026-01-31 20:35:10 +08:00 · 2026-01-31 20:35:10 +08:00 · 844732db90
commit 844732db90
5 changed files with 206 additions and 0 deletions
--- a/54
+++ b/54
@ -0,0 +1,54 @@
+{
+    admin off
+}
+
+:{$PORT} {
+
+    log {
+        output stdout
+        format console
+    }
+
+    header X-Caddy "active"
+
+    # HEALTH CHECK
+
+    @health path /healthz
+    respond @health 200
+
+    # PATH SCAN BLOCKERS
+    @xmlrpc path /xmlrpc.php
+    respond @xmlrpc 403
+
+    @rx_env path_regexp (?i)/?(.*/)?\.env
+    respond @rx_env 403
+
+    @rx_git path_regexp (?i)/?(.*/)?\.git
+    respond @rx_git 403
+
+    @rx_wpinc path_regexp (?i)/?(.*/)?wp-includes
+    respond @rx_wpinc 403
+
+    @rx_wplogin path_regexp (?i)/?(.*/)?wp-login\.php
+    respond @rx_wplogin 403
+
+    @rx_wpconfig path_regexp (?i)/?(.*/)?wp-config\.php
+    respond @rx_wpconfig 403
+
+    @rx_phpmy path_regexp (?i)/?(.*/)?phpmyadmin
+    respond @rx_phpmy 403
+
+    # SECURITY HEADERS
+    header {
+        X-Frame-Options "DENY"
+        X-Content-Type-Options "nosniff"
+        Referrer-Policy "strict-origin"
+    }
+
+    # BACKEND SERVICE
+    reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT} {
+        header_up X-Forwarded-Proto {scheme}
+        header_up X-Forwarded-For {remote}
+        header_up Host {host}
+    }
+}
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+FROM caddy:latest
+
+WORKDIR /app
+
+COPY Caddyfile /etc/caddy/Caddyfile
+COPY entrypoint.sh /app/entrypoint.sh
+
+RUN chmod 755 /app/entrypoint.sh
+
+ENTRYPOINT ["sh", "/app/entrypoint.sh"]
--- a/21
+++ b/21
@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,114 @@
+# Caddy Reverse Proxy – Backend Service (Railway)
+
+[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/caddy-backend-proxy?referralCode=nIQTyp&utm_medium=integration&utm_source=template&utm_campaign=generic)
+
+A minimal, production-ready **Caddy reverse proxy** for backend services running on **Railway**.  
+Framework-agnostic — works with Django, FastAPI, Flask, Node.js, Go, and any HTTP backend.
+
+This template forwards all incoming traffic to a private backend service using Railway’s internal network.
+
+---
+
+## ✨ Features
+
+- 🚀 Minimal Caddy reverse proxy
+- 🩺 Health check endpoint (`/healthz`)
+- 🛡 Blocks common path scanning attempts
+- 🔒 Sensible security headers
+- 🔁 Works with any HTTP backend
+- ⚙ Railway-ready (dynamic `$PORT`)
+- 📦 No plugins, no custom Caddy build
+
+---
+
+## 📦 Files
+
+- `Caddyfile` – Caddy reverse proxy configuration
+- `Dockerfile` – Minimal container image
+- `entrypoint.sh` – Startup script
+
+---
+
+## 🔧 Required Environment Variables
+
+| Variable | Description |
+|--------|------------|
+| `BACKEND_HOST` | Private Railway domain of your backend service |
+| `BACKEND_PORT` | Port your backend listens on (e.g. `8000`) |
+
+Example (Railway):
+```env
+BACKEND_HOST=${{MyBackend.RAILWAY_PRIVATE_DOMAIN}}
+BACKEND_PORT=8000
+```
+
+---
+
+---
+
+## 🌐 Custom Domain
+
+To use a custom domain with this proxy:
+
+1. Open your Railway project
+2. Go to **Settings → Domains**
+3. Add your custom domain
+4. Update your DNS records as instructed by Railway
+
+Railway handles HTTPS and TLS termination automatically.  
+No additional Caddy configuration is required.
+
+## 🩺 Health Check
+
+The proxy exposes a health endpoint:
+
+```
+GET /healthz
+```
+
+Always returns `200 OK` and does not depend on backend availability.
+
+---
+
+## 🔒 Security Notes
+
+This template blocks common automated scans such as:
+- `/xmlrpc.php`
+- `/.env`
+- `/.git`
+- `/wp-login.php`
+- `/phpmyadmin`
+
+Security headers included by default:
+- `X-Frame-Options: DENY`
+- `X-Content-Type-Options: nosniff`
+- `Referrer-Policy: strict-origin`
+
+---
+
+## 🚀 Usage
+
+1. Deploy this repository on Railway
+2. Set the required environment variables
+3. Point `BACKEND_HOST` to your private backend service
+4. Done 🎉
+
+All incoming traffic will be proxied to your backend.
+
+---
+
+## 🧠 Notes
+
+- HTTPS is handled by Railway
+- This template does not serve static files
+- Designed to be simple, transparent, and extensible
+
+---
+
+## 📄 License
+
+This project is licensed under the MIT License.
+
+It uses Caddy, which is licensed under the Apache License 2.0.
+
+This template is community-maintained.
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+echo "🚀 Starting Caddy"
+echo "🔗 Proxying to backend: ${BACKEND_HOST}:${BACKEND_PORT}"
+
+exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile