diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile index 4aa3346f740386..192f07136a8f28 100644 --- a/components/proxy/conf/Caddyfile +++ b/components/proxy/conf/Caddyfile @@ -12,15 +12,15 @@ # configure plugin order # https://caddyserver.com/docs/caddyfile/directives#directive-order - order gitpod.cors_origin before header - order gitpod.workspace_download before redir - order gitpod.headless_log_download before rewrite - order gitpod.configcat before rewrite - order gitpod.sec_websocket_key before header + order gitpod.cors_origin before header + order gitpod.workspace_download before redir + order gitpod.headless_log_download before rewrite + order gitpod.configcat before rewrite + order gitpod.sec_websocket_key before header servers { - protocols h1 h2 h2c - } + protocols h1 h2 h2c + } } (compression) { @@ -31,15 +31,15 @@ (security_headers) { header { # enable HSTS - Strict-Transport-Security max-age=31536000 + Strict-Transport-Security max-age=31536000 # disable clients from sniffing the media type - X-Content-Type-Options nosniff + X-Content-Type-Options nosniff # Define valid parents that may embed a page - Content-Security-Policy "frame-ancestors 'self' https://*.{$GITPOD_DOMAIN} https://{$GITPOD_DOMAIN}" + Content-Security-Policy "frame-ancestors 'self' https://*.{$GITPOD_DOMAIN} https://{$GITPOD_DOMAIN}" # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade + Referrer-Policy no-referrer-when-downgrade # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" + X-XSS-Protection "1; mode=block" defer # delay changes } @@ -143,10 +143,10 @@ # public-api api.{$GITPOD_DOMAIN} { - log { - level DEBUG - output stdout - } + log { + level DEBUG + output stdout + } gitpod.cors_origin { allowed_origins https://{$GITPOD_DOMAIN} @@ -155,7 +155,6 @@ api.{$GITPOD_DOMAIN} { reverse_proxy public-api-server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9002 } - # always redirect to HTTPS http:// { redir https://{host}{uri} permanent @@ -206,15 +205,28 @@ https://{$GITPOD_DOMAIN} { } @backend_wss { - path /api/gitpod + path /api/gitpod } handle @backend_wss { - gitpod.sec_websocket_key + gitpod.sec_websocket_key + + @slow { + header "Sec-WebSocket-Protocol" "slow-database" + } + + @fast { + not header "Sec-WebSocket-Protocol" "slow-database" + } + + uri strip_prefix /api + + reverse_proxy @fast server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000 { + import upstream_headers + } - uri strip_prefix /api - reverse_proxy server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000 { - import upstream_headers - } + reverse_proxy @slow slow-server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000 { + import upstream_headers + } } @backend path /api/* /headless-logs/* @@ -309,7 +321,7 @@ https://*.*.{$GITPOD_DOMAIN} { import workspace_transport import upstream_headers - header_up X-WSProxy-Host {http.request.host} + header_up X-WSProxy-Host {http.request.host} } } @@ -320,19 +332,19 @@ https://*.*.{$GITPOD_DOMAIN} { import upstream_headers header_up X-Gitpod-WorkspaceId {re.host.workspaceID} - header_up X-Gitpod-Port {re.host.workspacePort} - header_up X-WSProxy-Host {http.request.host} + header_up X-Gitpod-Port {re.host.workspacePort} + header_up X-WSProxy-Host {http.request.host} } } - @workspace header_regexp host Host ^(?P[a-z0-9][0-9a-z\-]+).ws(?P-[a-z0-9]+)?.{$GITPOD_DOMAIN} + @workspace header_regexp host Host ^(?P[a-z0-9][0-9a-z\-]+).ws(?P-[a-z0-9]+)?.{$GITPOD_DOMAIN} handle @workspace { reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 { import workspace_transport import upstream_headers header_up X-Gitpod-WorkspaceId {re.host.workspaceID} - header_up X-WSProxy-Host {http.request.host} + header_up X-WSProxy-Host {http.request.host} } }