Part-DB-server/.docker/frankenphp/Caddyfile

{
	{$CADDY_GLOBAL_OPTIONS}

	frankenphp {
		{$FRANKENPHP_CONFIG}
	}

	# https://caddyserver.com/docs/caddyfile/directives#sorting-algorithm
	order mercure after encode
	order vulcain after reverse_proxy
	order php_server before file_server
}

{$CADDY_EXTRA_CONFIG}

{$SERVER_NAME:localhost} {
	log {
		# Redact the authorization query parameter that can be set by Mercure
		format filter {
			wrap console
			fields {
				uri query {
					replace authorization REDACTED
				}
			}
		}
	}

	root * /app/public
	encode zstd br gzip

	mercure {
		# Transport to use (default to Bolt)
		transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
		# Publisher JWT key
		publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
		# Subscriber JWT key
		subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
		# Allow anonymous subscribers (double-check that it's what you want)
		anonymous
		# Enable the subscription API (double-check that it's what you want)
		subscriptions
		# Extra directives
		{$MERCURE_EXTRA_DIRECTIVES}
	}

	vulcain

	{$CADDY_SERVER_EXTRA_DIRECTIVES}

	# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
	header ?Permissions-Policy "browsing-topics=()"

	# Set a strict CSP and nosniff for all static assets not handled by PHP.
	# ? means "set only if not already present", so PHP responses carrying a Nelmio CSP are left untouched.
	header ?Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;"
	header ?X-Content-Type-Options "nosniff"

	# SVG files get a slightly different CSP because they can embed resources and must not be framed.
	@svg path *.svg *.svg.gz *.svg.br
	header @svg Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; sandbox;"

	# Prevent PHP execution in the media upload directory
	@php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$
	respond @php_in_media 403

	php_server
}
Added files from frankenphp symfony skeleton 2024-03-10 18:05:21 +01:00			`{`
			`{$CADDY_GLOBAL_OPTIONS}`

			`frankenphp {`
			`{$FRANKENPHP_CONFIG}`
			`}`

			`# https://caddyserver.com/docs/caddyfile/directives#sorting-algorithm`
			`order mercure after encode`
			`order vulcain after reverse_proxy`
			`order php_server before file_server`
			`}`

			`{$CADDY_EXTRA_CONFIG}`

			`{$SERVER_NAME:localhost} {`
			`log {`
			`# Redact the authorization query parameter that can be set by Mercure`
			`format filter {`
			`wrap console`
			`fields {`
			`uri query {`
			`replace authorization REDACTED`
			`}`
			`}`
			`}`
			`}`

			`root * /app/public`
			`encode zstd br gzip`

			`mercure {`
			`# Transport to use (default to Bolt)`
			`transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}`
			`# Publisher JWT key`
			`publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}`
			`# Subscriber JWT key`
			`subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}`
			`# Allow anonymous subscribers (double-check that it's what you want)`
			`anonymous`
			`# Enable the subscription API (double-check that it's what you want)`
			`subscriptions`
			`# Extra directives`
			`{$MERCURE_EXTRA_DIRECTIVES}`
			`}`

			`vulcain`

			`{$CADDY_SERVER_EXTRA_DIRECTIVES}`

			`# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics`
			`header ?Permissions-Policy "browsing-topics=()"`

Set CSP policy for static assets for security hardeninng 2026-06-20 23:42:01 +02:00			`# Set a strict CSP and nosniff for all static assets not handled by PHP.`
			`# ? means "set only if not already present", so PHP responses carrying a Nelmio CSP are left untouched.`
			`header ?Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;"`
			`header ?X-Content-Type-Options "nosniff"`

			`# SVG files get a slightly different CSP because they can embed resources and must not be framed.`
			`@svg path .svg .svg.gz *.svg.br`
			`header @svg Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; sandbox;"`

Block access to all php and phar files that are uploaded into the media folder 2026-06-07 20:40:15 +02:00			`# Prevent PHP execution in the media upload directory`
			`@php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?\|phar\|phtml\|pht\|phps)$`
			`respond @php_in_media 403`

Added files from frankenphp symfony skeleton 2024-03-10 18:05:21 +01:00			`php_server`
			`}`