185 lines
5.6 KiB
Caddyfile
185 lines
5.6 KiB
Caddyfile
# =============================================================================
|
||
# Sub2API Caddy Reverse Proxy Configuration (宿主机部署)
|
||
# =============================================================================
|
||
# 使用方法:
|
||
# 1. 安装 Caddy: https://caddyserver.com/docs/install
|
||
# 2. 修改下方 example.com 为你的域名
|
||
# 3. 确保域名 DNS 已指向服务器
|
||
# 4. 复制配置: sudo cp Caddyfile /etc/caddy/Caddyfile
|
||
# 5. 重载配置: sudo systemctl reload caddy
|
||
#
|
||
# Caddy 会自动申请和续期 Let's Encrypt SSL 证书
|
||
# =============================================================================
|
||
|
||
# 全局配置
|
||
{
|
||
# Let's Encrypt 邮箱通知
|
||
email admin@example.com
|
||
|
||
# 服务器配置
|
||
servers {
|
||
# 启用 HTTP/2 和 HTTP/3
|
||
protocols h1 h2 h3
|
||
|
||
# 超时配置
|
||
timeouts {
|
||
read_body 30s
|
||
read_header 10s
|
||
write 60s
|
||
idle 120s
|
||
}
|
||
}
|
||
}
|
||
|
||
# 修改为你的域名
|
||
example.com {
|
||
# =========================================================================
|
||
# TLS 安全配置
|
||
# =========================================================================
|
||
tls {
|
||
# 仅使用 TLS 1.2 和 1.3
|
||
protocols tls1.2 tls1.3
|
||
|
||
# 优先使用的加密套件
|
||
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||
}
|
||
|
||
# =========================================================================
|
||
# 反向代理配置
|
||
# =========================================================================
|
||
reverse_proxy localhost:8080 {
|
||
# 健康检查
|
||
health_uri /health
|
||
health_interval 30s
|
||
health_timeout 10s
|
||
health_status 200
|
||
|
||
# 负载均衡策略(单节点可忽略,多节点时有用)
|
||
lb_policy round_robin
|
||
lb_try_duration 5s
|
||
lb_try_interval 250ms
|
||
|
||
# 传递真实客户端信息
|
||
# 兼容 Cloudflare 和直连:后端应优先读取 CF-Connecting-IP,其次 X-Real-IP
|
||
header_up X-Real-IP {remote_host}
|
||
header_up X-Forwarded-For {remote_host}
|
||
header_up X-Forwarded-Proto {scheme}
|
||
header_up X-Forwarded-Host {host}
|
||
# 保留 Cloudflare 原始头(如果存在)
|
||
# 后端获取 IP 的优先级建议: CF-Connecting-IP → X-Real-IP → X-Forwarded-For
|
||
header_up CF-Connecting-IP {http.request.header.CF-Connecting-IP}
|
||
|
||
# 连接池优化
|
||
transport http {
|
||
keepalive 120s
|
||
keepalive_idle_conns 256
|
||
read_buffer 16KB
|
||
write_buffer 16KB
|
||
compression off
|
||
}
|
||
|
||
# 故障转移
|
||
fail_duration 30s
|
||
max_fails 3
|
||
unhealthy_status 500 502 503 504
|
||
}
|
||
|
||
# =========================================================================
|
||
# 压缩配置
|
||
# =========================================================================
|
||
encode {
|
||
zstd
|
||
gzip 6
|
||
minimum_length 256
|
||
match {
|
||
header Content-Type text/*
|
||
header Content-Type application/json*
|
||
header Content-Type application/javascript*
|
||
header Content-Type application/xml*
|
||
header Content-Type application/rss+xml*
|
||
header Content-Type image/svg+xml*
|
||
}
|
||
}
|
||
|
||
# =========================================================================
|
||
# 速率限制 (需要 caddy-ratelimit 插件)
|
||
# 如未安装插件,请注释掉此段
|
||
# =========================================================================
|
||
# rate_limit {
|
||
# zone api {
|
||
# key {remote_host}
|
||
# events 100
|
||
# window 1m
|
||
# }
|
||
# }
|
||
|
||
# =========================================================================
|
||
# 安全响应头
|
||
# =========================================================================
|
||
header {
|
||
# 防止点击劫持
|
||
X-Frame-Options "SAMEORIGIN"
|
||
|
||
# XSS 保护
|
||
X-XSS-Protection "1; mode=block"
|
||
|
||
# 防止 MIME 类型嗅探
|
||
X-Content-Type-Options "nosniff"
|
||
|
||
# 引用策略
|
||
Referrer-Policy "strict-origin-when-cross-origin"
|
||
|
||
# HSTS - 强制 HTTPS (max-age=1年)
|
||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||
|
||
# 内容安全策略 (根据需要调整)
|
||
# Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;"
|
||
|
||
# 权限策略
|
||
Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
|
||
|
||
# 跨域资源策略
|
||
Cross-Origin-Opener-Policy "same-origin"
|
||
Cross-Origin-Embedder-Policy "require-corp"
|
||
Cross-Origin-Resource-Policy "same-origin"
|
||
|
||
# 移除敏感头
|
||
-Server
|
||
-X-Powered-By
|
||
}
|
||
|
||
# =========================================================================
|
||
# 请求大小限制 (防止大文件攻击)
|
||
# =========================================================================
|
||
request_body {
|
||
max_size 100MB
|
||
}
|
||
|
||
# =========================================================================
|
||
# 日志配置
|
||
# =========================================================================
|
||
log {
|
||
output file /var/log/caddy/sub2api.log {
|
||
roll_size 50mb
|
||
roll_keep 10
|
||
roll_keep_for 720h
|
||
}
|
||
format json
|
||
level INFO
|
||
}
|
||
|
||
# =========================================================================
|
||
# 错误处理
|
||
# =========================================================================
|
||
handle_errors {
|
||
respond "{err.status_code} {err.status_text}"
|
||
}
|
||
}
|
||
|
||
# =============================================================================
|
||
# HTTP 重定向到 HTTPS (Caddy 默认自动处理,此处显式声明)
|
||
# =============================================================================
|
||
; http://example.com {
|
||
; redir https://{host}{uri} permanent
|
||
; }
|