| 1 | # Oversight registry, production Caddy config. |
| 2 | # |
| 3 | # Set the hostnames in .env before starting the live Compose profile: |
| 4 | # OVERSIGHT_REGISTRY_DOMAIN=registry.example.org |
| 5 | # OVERSIGHT_BEACON_DOMAIN=b.example.org |
| 6 | # OVERSIGHT_OCSP_DOMAIN=ocsp.example.org |
| 7 | # OVERSIGHT_LICENSE_DOMAIN=lic.example.org |
| 8 | # |
| 9 | # Caddy terminates TLS. The registry service stays private on the Compose |
| 10 | # network and is reachable from the host only on the configured loopback bind. |
| 11 | |
| 12 | (registry_upstream) { |
| 13 | reverse_proxy oversight-registry:8765 |
| 14 | } |
| 15 | |
| 16 | (security_headers) { |
| 17 | header { |
| 18 | X-Content-Type-Options nosniff |
| 19 | Referrer-Policy no-referrer |
| 20 | Permissions-Policy interest-cohort=() |
| 21 | } |
| 22 | } |
| 23 | |
| 24 | {$OVERSIGHT_REGISTRY_DOMAIN:registry.oversightprotocol.dev} { |
| 25 | encode zstd gzip |
| 26 | import security_headers |
| 27 | |
| 28 | @registry_read path /health /.well-known/oversight-registry /evidence/* /tlog/* /candidates/semantic |
| 29 | handle @registry_read { |
| 30 | import registry_upstream |
| 31 | } |
| 32 | |
| 33 | @registry_write path /register /attribute |
| 34 | handle @registry_write { |
| 35 | import registry_upstream |
| 36 | } |
| 37 | |
| 38 | @dns_bridge path /dns_event |
| 39 | handle @dns_bridge { |
| 40 | import registry_upstream |
| 41 | } |
| 42 | |
| 43 | handle { |
| 44 | respond 404 |
| 45 | } |
| 46 | |
| 47 | log { |
| 48 | output file /data/registry-access.log { |
| 49 | roll_size 100mb |
| 50 | roll_keep 10 |
| 51 | } |
| 52 | } |
| 53 | } |
| 54 | |
| 55 | {$OVERSIGHT_BEACON_DOMAIN:b.oversightprotocol.dev} { |
| 56 | encode zstd gzip |
| 57 | import security_headers |
| 58 | |
| 59 | handle /p/* { |
| 60 | import registry_upstream |
| 61 | } |
| 62 | |
| 63 | handle { |
| 64 | respond 404 |
| 65 | } |
| 66 | |
| 67 | log { |
| 68 | output file /data/beacon-access.log { |
| 69 | roll_size 100mb |
| 70 | roll_keep 10 |
| 71 | } |
| 72 | } |
| 73 | } |
| 74 | |
| 75 | {$OVERSIGHT_OCSP_DOMAIN:ocsp.oversightprotocol.dev} { |
| 76 | encode zstd gzip |
| 77 | import security_headers |
| 78 | |
| 79 | handle /r/* { |
| 80 | import registry_upstream |
| 81 | } |
| 82 | |
| 83 | handle /ocsp/r/* { |
| 84 | import registry_upstream |
| 85 | } |
| 86 | |
| 87 | handle { |
| 88 | respond 404 |
| 89 | } |
| 90 | } |
| 91 | |
| 92 | {$OVERSIGHT_LICENSE_DOMAIN:lic.oversightprotocol.dev} { |
| 93 | encode zstd gzip |
| 94 | import security_headers |
| 95 | |
| 96 | handle /v/* { |
| 97 | import registry_upstream |
| 98 | } |
| 99 | |
| 100 | handle /lic/v/* { |
| 101 | import registry_upstream |
| 102 | } |
| 103 | |
| 104 | handle { |
| 105 | respond 404 |
| 106 | } |
| 107 | } |