commit 844732db903fbdbc68bedd6d03693f753d6499f7 Author: Kaki Filem Team Date: Sat Jan 31 20:35:10 2026 +0800 Initial commit diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..55cc12a --- /dev/null +++ b/Caddyfile @@ -0,0 +1,54 @@ +{ + admin off +} + +:{$PORT} { + + log { + output stdout + format console + } + + header X-Caddy "active" + + # HEALTH CHECK + + @health path /healthz + respond @health 200 + + # PATH SCAN BLOCKERS + @xmlrpc path /xmlrpc.php + respond @xmlrpc 403 + + @rx_env path_regexp (?i)/?(.*/)?\.env + respond @rx_env 403 + + @rx_git path_regexp (?i)/?(.*/)?\.git + respond @rx_git 403 + + @rx_wpinc path_regexp (?i)/?(.*/)?wp-includes + respond @rx_wpinc 403 + + @rx_wplogin path_regexp (?i)/?(.*/)?wp-login\.php + respond @rx_wplogin 403 + + @rx_wpconfig path_regexp (?i)/?(.*/)?wp-config\.php + respond @rx_wpconfig 403 + + @rx_phpmy path_regexp (?i)/?(.*/)?phpmyadmin + respond @rx_phpmy 403 + + # SECURITY HEADERS + header { + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin" + } + + # BACKEND SERVICE + reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT} { + header_up X-Forwarded-Proto {scheme} + header_up X-Forwarded-For {remote} + header_up Host {host} + } +} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..04cbaa6 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM caddy:latest + +WORKDIR /app + +COPY Caddyfile /etc/caddy/Caddyfile +COPY entrypoint.sh /app/entrypoint.sh + +RUN chmod 755 /app/entrypoint.sh + +ENTRYPOINT ["sh", "/app/entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..b77bf2a --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..684a075 --- /dev/null +++ b/README.md @@ -0,0 +1,114 @@ +# Caddy Reverse Proxy – Backend Service (Railway) + +[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/caddy-backend-proxy?referralCode=nIQTyp&utm_medium=integration&utm_source=template&utm_campaign=generic) + +A minimal, production-ready **Caddy reverse proxy** for backend services running on **Railway**. +Framework-agnostic β€” works with Django, FastAPI, Flask, Node.js, Go, and any HTTP backend. + +This template forwards all incoming traffic to a private backend service using Railway’s internal network. + +--- + +## ✨ Features + +- πŸš€ Minimal Caddy reverse proxy +- 🩺 Health check endpoint (`/healthz`) +- πŸ›‘ Blocks common path scanning attempts +- πŸ”’ Sensible security headers +- πŸ” Works with any HTTP backend +- βš™ Railway-ready (dynamic `$PORT`) +- πŸ“¦ No plugins, no custom Caddy build + +--- + +## πŸ“¦ Files + +- `Caddyfile` – Caddy reverse proxy configuration +- `Dockerfile` – Minimal container image +- `entrypoint.sh` – Startup script + +--- + +## πŸ”§ Required Environment Variables + +| Variable | Description | +|--------|------------| +| `BACKEND_HOST` | Private Railway domain of your backend service | +| `BACKEND_PORT` | Port your backend listens on (e.g. `8000`) | + +Example (Railway): +```env +BACKEND_HOST=${{MyBackend.RAILWAY_PRIVATE_DOMAIN}} +BACKEND_PORT=8000 +``` + +--- + +--- + +## 🌐 Custom Domain + +To use a custom domain with this proxy: + +1. Open your Railway project +2. Go to **Settings β†’ Domains** +3. Add your custom domain +4. Update your DNS records as instructed by Railway + +Railway handles HTTPS and TLS termination automatically. +No additional Caddy configuration is required. + +## 🩺 Health Check + +The proxy exposes a health endpoint: + +``` +GET /healthz +``` + +Always returns `200 OK` and does not depend on backend availability. + +--- + +## πŸ”’ Security Notes + +This template blocks common automated scans such as: +- `/xmlrpc.php` +- `/.env` +- `/.git` +- `/wp-login.php` +- `/phpmyadmin` + +Security headers included by default: +- `X-Frame-Options: DENY` +- `X-Content-Type-Options: nosniff` +- `Referrer-Policy: strict-origin` + +--- + +## πŸš€ Usage + +1. Deploy this repository on Railway +2. Set the required environment variables +3. Point `BACKEND_HOST` to your private backend service +4. Done πŸŽ‰ + +All incoming traffic will be proxied to your backend. + +--- + +## 🧠 Notes + +- HTTPS is handled by Railway +- This template does not serve static files +- Designed to be simple, transparent, and extensible + +--- + +## πŸ“„ License + +This project is licensed under the MIT License. + +It uses Caddy, which is licensed under the Apache License 2.0. + +This template is community-maintained. \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..5be9dcf --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh +set -e + +echo "πŸš€ Starting Caddy" +echo "πŸ”— Proxying to backend: ${BACKEND_HOST}:${BACKEND_PORT}" + +exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile