✨ feat(ansible/caddy): Améliore la configuration Caddy avec gestion des headers, redirections et PHP-FPM.
This commit is contained in:
Serreau Jovann
@@ -2,38 +2,52 @@ intranet.ludikevent.fr, signature.ludikevent.fr, reservation.ludikevent.fr {
|
|||||||
tls {
|
tls {
|
||||||
dns cloudflare KL6pZ-Z_12_zbnM2TtFDIsKM8A-HLPhU5GJJbKTW
|
dns cloudflare KL6pZ-Z_12_zbnM2TtFDIsKM8A-HLPhU5GJJbKTW
|
||||||
}
|
}
|
||||||
|
|
||||||
root * {{ path }}/public
|
root * {{ path }}/public
|
||||||
file_server
|
file_server
|
||||||
|
|
||||||
# --- LOGIQUE RÉSERVATION ---
|
request_body {
|
||||||
@is_reservation_host host reservation.ludikevent.fr
|
max_size 100MB
|
||||||
|
|
||||||
handle @is_reservation_host {
|
|
||||||
# Si on arrive sur la racine /
|
|
||||||
# On réécrit en interne vers /reservation
|
|
||||||
rewrite / /reservation
|
|
||||||
|
|
||||||
# On passe à PHP en s'assurant que le script index.php est utilisé
|
|
||||||
php_fastcgi unix//run/php/php8.4-fpm.sock {
|
|
||||||
# On force Symfony à utiliser le nouveau chemin réécrit
|
|
||||||
env REQUEST_URI {uri}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# --- LE RESTE DES DOMAINES (Intranet / Signature) ---
|
# --- NO-INDEX MATCHER ---
|
||||||
handle {
|
@noindex_hosts host intranet.ludikevent.fr signature.ludikevent.fr
|
||||||
header {
|
header @noindex_hosts X-Robots-Tag "noindex, nofollow"
|
||||||
X-Content-Type-Options "nosniff"
|
|
||||||
X-Frame-Options "DENY"
|
|
||||||
Referrer-Policy "strict-origin-when-cross-origin"
|
|
||||||
CF-Connecting-IP {header.CF-Connecting-IP}
|
|
||||||
X-Real-IP {remote_host}
|
|
||||||
}
|
|
||||||
|
|
||||||
handle_path /assets/* {
|
@index_host host reservation.ludikevent.fr
|
||||||
rewrite * /build{path}
|
header @index_host -X-Robots-Tag
|
||||||
}
|
|
||||||
|
|
||||||
php_fastcgi unix//run/php/php8.4-fpm.sock
|
handle_path /utm_reserve.js {
|
||||||
|
redir https://tools-security.esy-web.dev/script.js
|
||||||
|
}
|
||||||
|
handle_path /ts.js {
|
||||||
|
redir https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js
|
||||||
|
}
|
||||||
|
# --- BLOC HEADER AVEC CSP ---
|
||||||
|
header {
|
||||||
|
X-Content-Type-Options "nosniff"
|
||||||
|
X-Frame-Options "DENY"
|
||||||
|
Referrer-Policy "strict-origin-when-cross-origin"
|
||||||
|
|
||||||
|
# Injection des headers Cloudflare pour PHP
|
||||||
|
# Cela permet à PHP de les lire via $_SERVER['HTTP_CF_CONNECTING_IP'] etc.
|
||||||
|
CF-Connecting-IP {header.CF-Connecting-IP}
|
||||||
|
CF-IPCountry {header.CF-IPCountry}
|
||||||
|
CF-RegionCode {header.CF-RegionCode}
|
||||||
|
CF-IPCity {header.CF-IPCity}
|
||||||
|
X-Real-IP {remote_host}
|
||||||
|
}
|
||||||
|
handle_path /assets/* {
|
||||||
|
rewrite * /build{path}
|
||||||
|
}
|
||||||
|
# --- PHP FASTCGI ---
|
||||||
|
# Ici, Caddy transmet automatiquement tous les headers définis ci-dessus au socket PHP
|
||||||
|
php_fastcgi unix//run/php/php8.4-fpm.sock {
|
||||||
|
read_timeout 300s
|
||||||
|
write_timeout 300s
|
||||||
|
dial_timeout 100s
|
||||||
|
|
||||||
|
# Optionnel : Forcer explicitement certains paramètres FastCGI si nécessaire
|
||||||
|
env REMOTE_ADDR {header.CF-Connecting-IP}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user