Initial commit

2026-01-31 20:35:10 +08:00 · 2026-01-31 20:35:10 +08:00 · 844732db90
commit 844732db90
5 changed files with 206 additions and 0 deletions
--- a/54
+++ b/54
@ -0,0 +1,54 @@
 {
    admin off
 }
 :{$PORT} {
    log {
        output stdout
        format console
    }
    header X-Caddy "active"
    # HEALTH CHECK
    @health path /healthz
    respond @health 200
    # PATH SCAN BLOCKERS
    @xmlrpc path /xmlrpc.php
    respond @xmlrpc 403
    @rx_env path_regexp (?i)/?(.*/)?\.env
    respond @rx_env 403
    @rx_git path_regexp (?i)/?(.*/)?\.git
    respond @rx_git 403
    @rx_wpinc path_regexp (?i)/?(.*/)?wp-includes
    respond @rx_wpinc 403
    @rx_wplogin path_regexp (?i)/?(.*/)?wp-login\.php
    respond @rx_wplogin 403
    @rx_wpconfig path_regexp (?i)/?(.*/)?wp-config\.php
    respond @rx_wpconfig 403
    @rx_phpmy path_regexp (?i)/?(.*/)?phpmyadmin
    respond @rx_phpmy 403
    # SECURITY HEADERS
    header {
        X-Frame-Options "DENY"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "strict-origin"
    }
    # BACKEND SERVICE
    reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT} {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote}
        header_up Host {host}
    }
 }
--- a/10
+++ b/10
@ -0,0 +1,10 @@
 FROM caddy:latest
 WORKDIR /app
 COPY Caddyfile /etc/caddy/Caddyfile
 COPY entrypoint.sh /app/entrypoint.sh
 RUN chmod 755 /app/entrypoint.sh
 ENTRYPOINT ["sh", "/app/entrypoint.sh"]
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2025
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,114 @@
 # Caddy Reverse Proxy – Backend Service (Railway)
 [![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/caddy-backend-proxy?referralCode=nIQTyp&utm_medium=integration&utm_source=template&utm_campaign=generic)
 A minimal, production-ready **Caddy reverse proxy** for backend services running on **Railway**.  
 Framework-agnostic — works with Django, FastAPI, Flask, Node.js, Go, and any HTTP backend.
 This template forwards all incoming traffic to a private backend service using Railway’s internal network.
 ---
 ## ✨ Features
 - 🚀 Minimal Caddy reverse proxy
 - 🩺 Health check endpoint (`/healthz`)
 - 🛡 Blocks common path scanning attempts
 - 🔒 Sensible security headers
 - 🔁 Works with any HTTP backend
 - ⚙ Railway-ready (dynamic `$PORT`)
 - 📦 No plugins, no custom Caddy build
 ---
 ## 📦 Files
 - `Caddyfile` – Caddy reverse proxy configuration
 - `Dockerfile` – Minimal container image
 - `entrypoint.sh` – Startup script
 ---
 ## 🔧 Required Environment Variables
 | Variable | Description |
 |--------|------------|
 | `BACKEND_HOST` | Private Railway domain of your backend service |
 | `BACKEND_PORT` | Port your backend listens on (e.g. `8000`) |
 Example (Railway):
 ```env
 BACKEND_HOST=${{MyBackend.RAILWAY_PRIVATE_DOMAIN}}
 BACKEND_PORT=8000
 ```
 ---
 ---
 ## 🌐 Custom Domain
 To use a custom domain with this proxy:
 1. Open your Railway project
 2. Go to **Settings → Domains**
 3. Add your custom domain
 4. Update your DNS records as instructed by Railway
 Railway handles HTTPS and TLS termination automatically.  
 No additional Caddy configuration is required.
 ## 🩺 Health Check
 The proxy exposes a health endpoint:
 ```
 GET /healthz
 ```
 Always returns `200 OK` and does not depend on backend availability.
 ---
 ## 🔒 Security Notes
 This template blocks common automated scans such as:
 - `/xmlrpc.php`
 - `/.env`
 - `/.git`
 - `/wp-login.php`
 - `/phpmyadmin`
 Security headers included by default:
 - `X-Frame-Options: DENY`
 - `X-Content-Type-Options: nosniff`
 - `Referrer-Policy: strict-origin`
 ---
 ## 🚀 Usage
 1. Deploy this repository on Railway
 2. Set the required environment variables
 3. Point `BACKEND_HOST` to your private backend service
 4. Done 🎉
 All incoming traffic will be proxied to your backend.
 ---
 ## 🧠 Notes
 - HTTPS is handled by Railway
 - This template does not serve static files
 - Designed to be simple, transparent, and extensible
 ---
 ## 📄 License
 This project is licensed under the MIT License.
 It uses Caddy, which is licensed under the Apache License 2.0.
 This template is community-maintained.
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,7 @@
 #!/bin/sh
 set -e
 echo "🚀 Starting Caddy"
 echo "🔗 Proxying to backend: ${BACKEND_HOST}:${BACKEND_PORT}"
 exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile