Skip to content

Commit a5c70e0

Browse files
lukeocodeslukeocodes
committed
chore(deploy): add rate limiting and session nonce injection
1 parent c2ed92a commit a5c70e0

File tree

2 files changed

+41
-13
lines changed

2 files changed

+41
-13
lines changed

deploy/Caddyfile

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,41 @@
1+
{
2+
order rate_limit before basicauth
3+
}
4+
15
:8080 {
2-
# HTML page served by backend (injects session nonce)
6+
# HTML page: Caddy templates inject base path + session nonce
37
@htmlpage {
48
path /
59
path /index.html
610
}
711
handle @htmlpage {
12+
templates
13+
root * /app/frontend/dist
14+
rewrite * /index.html
15+
file_server
16+
}
17+
18+
# Session endpoint: 5 req/min per IP
19+
handle /api/session {
20+
rate_limit {
21+
zone session {
22+
key {remote_host}
23+
events 5
24+
window 1m
25+
}
26+
}
827
reverse_proxy localhost:{$BACKEND_PORT:8081}
928
}
1029

11-
# API endpoints proxied to backend
30+
# API endpoints: 30 req/min per IP
1231
handle /api/* {
32+
rate_limit {
33+
zone api {
34+
key {remote_host}
35+
events 30
36+
window 1m
37+
}
38+
}
1339
reverse_proxy localhost:{$BACKEND_PORT:8081}
1440
}
1541

@@ -19,4 +45,3 @@
1945
file_server
2046
}
2147
}
22-

deploy/Dockerfile

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,27 @@
1-
# Stage 1: Build frontend
1+
# Stage 1: Build custom Caddy with rate limiting module
2+
FROM golang:1.25-alpine AS caddy-builder
3+
WORKDIR /build
4+
RUN go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
5+
RUN xcaddy build --with github.com/mholt/caddy-ratelimit
6+
# Binary output: /build/caddy
7+
8+
# Stage 2: Build frontend
29
FROM node:24-slim AS frontend-builder
310
RUN corepack enable
411
WORKDIR /build
512
COPY frontend/package.json frontend/pnpm-lock.yaml ./frontend/
613
RUN cd frontend && pnpm install --frozen-lockfile
714
COPY frontend/ ./frontend/
815
RUN cd frontend && pnpm build
16+
# Inject Caddy template directives for subpath base path + session nonce
17+
RUN sed -i 's|<head>|<head>\n <base href="{{ .Req.Header.Get "X-Base-Path" }}">\n <meta name="session-nonce" content="{{ placeholder "http.request.uuid" }}">|' ./frontend/dist/index.html
918

10-
# Stage 2: Runtime
19+
# Stage 3: Runtime
1120
FROM node:24-slim
1221
RUN corepack enable
1322

14-
# Install Caddy
15-
RUN apt-get update && \
16-
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https curl && \
17-
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
18-
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list && \
19-
apt-get update && \
20-
apt-get install -y caddy && \
21-
apt-get clean && rm -rf /var/lib/apt/lists/*
23+
# Copy custom Caddy binary
24+
COPY --from=caddy-builder /build/caddy /usr/bin/caddy
2225

2326
WORKDIR /app
2427

0 commit comments

Comments
 (0)