1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
lemmy.tld {
header {
# Only connect to this site via HTTPS for the two years
Strict-Transport-Security max-age=63072000
# Various content security headers
Referrer-Policy same-origin
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection "1; mode=block"
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# Hide Caddy
-Server
}
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
@encode_mime {
header Content-Type text/css
header Content-Type application/javascript
header Content-Type image/svg+xml
}
encode @encode_mime gzip
request_body {
max_size 8MB
}
@pictshare_regexp path_regexp pictshare_regexp \/pictshare\/(.*)
redir @pictshare_regexp /pictrs/image/{re.pictshare_regexp.1} permanent
# Supposedly better than having three different named matchers using standard matchers
# ¯\_(ツ)_/¯
@backend `
path('/api/*', '/pictrs/*', '/feeds/*', '/nodeinfo/*', '/.well-known/*')
|| header({'Accept': 'application/*'})
|| method('POST')
`
reverse_proxy @backend lemmy:8536 {
# This was needed because of a bug, but it probably has been fixed in the meanwhile.
# Will have to test later.
header_down -Transfer-Encoding
}
reverse_proxy lemmy-ui:1234
}