Updated Using a Reverse Proxy with Paperless ngx (markdown)

2025-05-23 17:52:23 -04:00 · 2025-04-26 21:39:03 +09:30 · 2025-04-26 21:39:03 +09:30 · 6074f7e128
commit 6074f7e128
parent b47ed4560b
1 changed files with 53 additions and 1 deletions
--- a/Using-a-Reverse-Proxy-with-Paperless-ngx.md
+++ b/Using-a-Reverse-Proxy-with-Paperless-ngx.md
@ -151,7 +151,7 @@ Below is an example of an apache2 conf file that you may customize to fit your e

 # Caddy

-Below is an example Caddy configuration
+Below is a simple example Caddy configuration running on same host

 ```
 :80 {
@ -161,6 +161,58 @@ Below is an example Caddy configuration
 }
 ```

+Below is a more in-depth, although not comprehensive, Caddy configuration running on different host
+
+```
+# Global Options Block
+{
+}
+
+#### Reusable Snippets
+(common) {
+        tls youremailaddress@host.com {
+                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+        }
+        header {
+        # Enable HSTS
+                Strict-Transport-Security "max-age=31536000; includeSubdomains"
+                X-XSS-Protection 0
+        # Prevent browsers from incorrectly detecting non-scripts as scripts and MIME type sniffing
+                X-Content-Type-Options nosniff
+                -Server
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+                X-Frame-Options "ALLOW-FROM *.example.domain"
+                Permissions-Policy "geolocation=(self  *.example.domain), microphone=(), interest-cohort=()"
+                        import content-security-general
+        }
+}
+#### Content Security Snippets
+(content-security-general) { # Default setup
+        # Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,
+        #   and images from same origin and imgur. Sites should aim for policies like this.
+        Content-Security-Policy "frame-ancestors  *.example.domain"
+        #"default-src 'self'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none';"
+        #default-src 'none'; font-src https://fonts.gstatic.com; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'
+}
+(content-security-basic) { # Most basic setup
+        # Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur
+        # Also disables the execution of plugins
+        Content-Security-Policy default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'
+}
+(content-security-api) { # API
+        # Disable the loading of any resources and disable framing, recommended for APIs to use
+        Content-Security-Policy default-src 'none'; frame-ancestors 'none'
+}
+#### Sites
+
+paperless.ProxiedExample.domain {
+        import common
+        reverse_proxy https://paperless.HostExample.domain {
+                header_up Host {http.reverse_proxy.upstream.hostport}
+        }
+}
+```
+
 # Traefik

 Below is an example Traefik configuration you would add to the webserver container.