From 6074f7e128537b0d53b4c306298f87758e8be5c5 Mon Sep 17 00:00:00 2001 From: silycr <32662182+silycr@users.noreply.github.com> Date: Sat, 26 Apr 2025 21:39:03 +0930 Subject: [PATCH] Updated Using a Reverse Proxy with Paperless ngx (markdown) --- Using-a-Reverse-Proxy-with-Paperless-ngx.md | 54 ++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/Using-a-Reverse-Proxy-with-Paperless-ngx.md b/Using-a-Reverse-Proxy-with-Paperless-ngx.md index 13089e0..a04db34 100644 --- a/Using-a-Reverse-Proxy-with-Paperless-ngx.md +++ b/Using-a-Reverse-Proxy-with-Paperless-ngx.md @@ -151,7 +151,7 @@ Below is an example of an apache2 conf file that you may customize to fit your e # Caddy -Below is an example Caddy configuration +Below is a simple example Caddy configuration running on same host ``` :80 { @@ -161,6 +161,58 @@ Below is an example Caddy configuration } ``` +Below is a more in-depth, although not comprehensive, Caddy configuration running on different host + +``` +# Global Options Block +{ +} + +#### Reusable Snippets +(common) { + tls youremailaddress@host.com { + dns cloudflare {env.CLOUDFLARE_API_TOKEN} + } + header { + # Enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubdomains" + X-XSS-Protection 0 + # Prevent browsers from incorrectly detecting non-scripts as scripts and MIME type sniffing + X-Content-Type-Options nosniff + -Server + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-Frame-Options "ALLOW-FROM *.example.domain" + Permissions-Policy "geolocation=(self *.example.domain), microphone=(), interest-cohort=()" + import content-security-general + } +} +#### Content Security Snippets +(content-security-general) { # Default setup + # Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google, + # and images from same origin and imgur. Sites should aim for policies like this. + Content-Security-Policy "frame-ancestors *.example.domain" + #"default-src 'self'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none';" + #default-src 'none'; font-src https://fonts.gstatic.com; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self' +} +(content-security-basic) { # Most basic setup + # Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur + # Also disables the execution of plugins + Content-Security-Policy default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none' +} +(content-security-api) { # API + # Disable the loading of any resources and disable framing, recommended for APIs to use + Content-Security-Policy default-src 'none'; frame-ancestors 'none' +} +#### Sites + +paperless.ProxiedExample.domain { + import common + reverse_proxy https://paperless.HostExample.domain { + header_up Host {http.reverse_proxy.upstream.hostport} + } +} +``` + # Traefik Below is an example Traefik configuration you would add to the webserver container.