search

h5bp / server-configs

Boilerplate configurations for various web servers.
3.1k stars 413 forks source link

Create a H5BP boilerplate for Caddy server #180

Open dpantel opened 7 months ago

dpantel commented 7 months ago

Any thoughts on making a boilerplate config for Caddy server?

In my experience, Caddy is too easy to get up and running, but in reality is very complex in the way it works with a lot of "gotchas" that are horribly documented. A curated boilerplate to harden an installation would be nice.

LeoColomb commented 7 months ago

Thanks for opening this discussion @dpantel. I had already studied the feasibility of such a boilerplate for Caddy, but its configuration appeared to have too little parameters for an H5BP-style boilerplate. To be clear: H5BP is not tailored to help to configure host endpoints for a server, but more to match web standards globally (like MIME-types, compression style, HTTP headers). I might be wrong, but I don't think this is reasonably doable/relevant for Caddy.

What do you think?

dpantel commented 7 months ago

but its configuration appeared to have too little parameters for an H5BP-style boilerplate.

I am not sure what this line means.

As a newer browser, I think it's possible that Caddy is better at handling HTML5-related standards. But from past experience, and by browsing the repos today, I see that you guys also provide some security/hardening recommendations.

Caddy has some of those kinds of recommendations too:

https://caddyserver.com/docs/caddyfile/directives/header#examples https://dev.to/mariinkys/caddy-basic-configuration-193j https://paulbradley.dev/caddyfile-web-security-headers/

There is also room for other hardening options, such as restricting access to .git/ and the like.

I think those type of options are in the H5BP wheelhouse.

LeoColomb commented 7 months ago

Oh ok, I guess my previous investigation around that is a bit dated now! 😅 That sounds interested. Would you volunteer to join us building this boilerplate?

@roblarsen Would it be possible to create a new repository named server-configs-caddy (and its related team)? Maybe private for now.

dpantel commented 7 months ago

I am not opposed to helping, but my knowledge in this arena is pretty limited. That’s why I wanted you to build a boilerplate in the first place :)

dpantel commented 7 months ago

I let the invitation expire, sorry