max / makenotwork
1 file changed,
+34 insertions,
-0 deletions
| @@ -71,6 +71,40 @@ makenot.work { | |||
| 71 | 71 | } | |
| 72 | 72 | } | |
| 73 | 73 | ||
| 74 | + | # Creator custom pages (u.makenot.work). | |
| 75 | + | # Same app process as the apex — the server's host-dispatch middleware renders | |
| 76 | + | # sanitized creator HTML/CSS here, keeps this origin cookieless, and sets its own | |
| 77 | + | # strict CSP (do not duplicate CSP here). TLS is the wildcard *.makenot.work | |
| 78 | + | # Origin CA cert via cloudflare_tls. | |
| 79 | + | # | |
| 80 | + | # This explicit block is REQUIRED: without it, u.makenot.work falls into the | |
| 81 | + | # on-demand-TLS catch-all (:443) below, whose ask endpoint refuses a cert | |
| 82 | + | # because u.makenot.work is not a verified custom domain. | |
| 83 | + | # | |
| 84 | + | # Requires a Cloudflare DNS record for u.makenot.work (proxy ON), or coverage by | |
| 85 | + | # a *.makenot.work wildcard DNS record. | |
| 86 | + | u.makenot.work { | |
| 87 | + | import cloudflare_tls | |
| 88 | + | ||
| 89 | + | # Internal API is unreachable here anyway (host dispatch only serves custom | |
| 90 | + | # pages + /static), but block it explicitly as defense in depth. | |
| 91 | + | @internal path /api/internal/* | |
| 92 | + | respond @internal 404 | |
| 93 | + | ||
| 94 | + | reverse_proxy localhost:3000 | |
| 95 | + | ||
| 96 | + | header { | |
| 97 | + | Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
| 98 | + | } | |
| 99 | + | ||
| 100 | + | encode gzip zstd | |
| 101 | + | ||
| 102 | + | log { | |
| 103 | + | output file /var/log/caddy/userpages.log | |
| 104 | + | format json | |
| 105 | + | } | |
| 106 | + | } | |
| 107 | + | ||
| 74 | 108 | # Multithreaded forum | |
| 75 | 109 | forums.makenot.work { | |
| 76 | 110 | import cloudflare_tls |