matrix-docker-ansible-deploy/examples/caddy2/Caddyfile

matrix.DOMAIN.tld {

  tls {$CADDY_TLS}

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
                                                                                                                                                                                                                      167,9         79%
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090/_matrix/identity  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090/_matrix/client/r0/user_directory/search   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
}

matrix.DOMAIN.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
    }
}

dimension.DOMAIN.tld {

      tls {$CADDY_TLS}

      header {
         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
        	X-XSS-Protection "1; mode=block"
        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        	X-Content-Type-Options "nosniff"
        	# Disallow the site to be rendered within a frame (clickjacking protection)
        	X-Frame-Options "DENY"
        	# X-Robots-Tag
        	X-Robots-Tag "noindex, noarchive, nofollow"
  	}

    	handle {
        	encode zstd gzip

        	reverse_proxy localhost:8184  {
               		header_up X-Forwarded-Port {http.request.port}
               		header_up X-Forwarded-Proto {http.request.scheme}
               		header_up X-Forwarded-TlsProto {tls_protocol}
               		header_up X-Forwarded-TlsCipher {tls_cipher}
               		header_up X-Forwarded-HttpsProto {proto}
        	}
  	}
}

element.DOMAIN.tld {

    tls {$CADDY_TLS}

 	header {
         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
        	X-XSS-Protection "1; mode=block"
        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        	X-Content-Type-Options "nosniff"
        	# Disallow the site to be rendered within a frame (clickjacking protection)
        	X-Frame-Options "DENY"
        	# X-Robots-Tag
        	X-Robots-Tag "noindex, noarchive, nofollow"
  	}

        handle {
              encode zstd gzip

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
        }
}