samermassoud · November 15, 2022 07:23 · Nov 15, 2022 · Nov 15, 2022
diff --git a/Caddyfile b/Caddyfile
@@ -0,0 +1,118 @@
+#--------------------------------------------------------------
+#	snippet - logging
+#--------------------------------------------------------------
+#define logging
+(logging) {
+        log {
+                level debug
+                output file /var/log/caddy/{args.0}.log {
+                        roll_size 20mb
+                        roll_keep 30
+                }
+        }
+}
+#-----------------------------------------------------------------
+#	snippet - headers up
+#----------------------------------------------------------------
+
+# Add forward headers to requests
+(reqheaders) {
+      header_up X-Forwarded-Ssl on
+      header_up Host {http.request.host}
+      header_up X-Real-IP {http.request.remote}
+      header_up X-Forwarded-For {header.X-Forwarded-For}
+      header_up X-Forwarded-Port {http.request.port}
+      header_up X-Forwarded-Proto {http.request.scheme}  # included by default in Caddy 2
+      header_up X-Url-Scheme {http.request.scheme}
+      header_up X-Forwarded-Host {http.request.host}
+
+
+
+  }
+
+#-----------------------------------------------------------------
+#	snippet - headers down
+#----------------------------------------------------------------
+
+# add-modify response  headers going to client
+(responseheader) {
+
+        header {
+
+                -x-content-encoded-by
+
+                # Cache Control
+                #-Cache-Control
+                -Pragma
+                Cache-Control public, max-age=31536000
+                #defer
+                # disable FLoC tracking
+                Permissions-Policy interest-cohort=()
+
+                # enable HSTS
+                Strict-Transport-Security max-age=31536000;
+
+                # disable clients from sniffing the media type
+                X-Content-Type-Options nosniff
+
+                # clickjacking protection
+                #-X-Freme-Options
+                #X-Frame-Options DENY
+
+                # keep referrer data off of HTTP connections
+                Referrer-Policy no-referrer-when-downgrade
+                -Server
+                Server "frontliner 1"
+
+                -x-powered-by
+
+        }
+
+   }
+
+
+#-----------------------------------------------------------------
+#	snippet - tls config
+#----------------------------------------------------------------
+(tlsconfig) {
+         tls admin@<example.com> {
+                key_type p384
+                curves secp384r1
+		protocols tls1.2 tls1.3
+                ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+                ca https://acme-v02.api.letsencrypt.org/directory
+                #ca https://acme-staging-v02.api.letsencrypt.org/directory
+        }
+ }
+
+
+
+
+#-----------------------------------------------------------------
+#	www.<example.com>
+#----------------------------------------------------------------
+www.<example.com> {
+	import tlsconfig
+        redir https://<example.com>
+}
+
+#-----------------------------------------------------------------
+#	<example.com>
+#----------------------------------------------------------------
+<example.com> {
+        import tlsconfig
+	import logging <example.com>
+        import responseheader
+
+        # www server 
+        #reverse_proxy wordpress:8443 
+         reverse_proxy {
+                to https://wordpress:8443
+	#	to http://wordpress:8080
+                import reqheaders
+                transport http {
+			tls_insecure_skip_verify
+                }
+        }
+
+}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,64 @@
+version: '3.8'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.8-debian-11
+    restart: unless-stopped
+    ports:
+      - 3306:3306  
+    volumes:
+      - /mnt/wordpress/mariadb:/bitnami/mariadb
+      - /mnt/wordpress/mariadb/my_custom.cnf:/opt/bitnami/mariadb/conf/my_custom.cnf:ro
+    environment:
+      - MARIADB_SKIP_TEST_DB=yes
+      - MARIADB_ROOT_USER=root
+      - MARIADB_ROOT_PASSWORD=<root password>
+      - MARIADB_DATABASE=<database name>
+      - MARIADB_USER=<user>
+      - MARIADB_PASSWORD=<password>
+    healthcheck:
+      test: ['CMD', '/opt/bitnami/scripts/mariadb/healthcheck.sh']
+      interval: 15s
+      timeout: 5s
+      retries: 6
+  wordpress:
+    image: docker.io/bitnami/wordpress:latest
+    restart: unless-stopped 
+    ports:
+      - 8080:8080
+      - 8443:8443
+    volumes:
+      - /mnt/wordpress/wordpress:/bitnami/wordpress
+    depends_on:
+      mariadb:
+        condition: service_healthy
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - APACHE_HTTP_PORT_NUMBER=8080
+      - APACHE_HTTPS_PORT_NUMBER=8443
+      - PHP_UPLOAD_MAX_FILESIZE=512M
+      - PHP_POST_MAX_SIZE=512M
+      - WORDPRESS_SCHEME=https
+      - WORDPRESS_ENABLE_HTTPS=yes
+      - HTTP_HOST=<example.com>
+      - WORDPRESS_SKIP_BOOTSTRAP=no
+      - WORDPRESS_AUTO_UPDATE_LEVEL=minor
+      - WORDPRESS_PLUGINS=none
+      - WORDPRESS_TABLE_PREFIX=wp_  
+      - WORDPRESS_DATABASE_HOST=mariadb
+      - WORDPRESS_DATABASE_PORT_NUMBER=3306
+      - WORDPRESS_DATABASE_USER=<user>
+      - WORDPRESS_DATABASE_NAME=<database>
+      - WORDPRESS_DATABASE_PASSWORD=<password>
+      - WORDPRESS_ENABLE_REVERSE_PROXY=yes  
+  caddy:
+    image: caddy:alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - /mnt/wordpress/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - /mnt/wordpress/caddy/site:/srv
+      - /mnt/wordpress/caddy/data:/data
+      - /mnt/wordpress/caddy/config:/config