Hey there everyone,
First of all thank you all so much for your help the other day getting the SSL certificate sorted in my original post here. So grateful so many people chimed in with helpful responses - I’ve learned a lot.
That said a good chuck of you guys suggested it was crazy I was using apache when caddy was an option. It looks really great and I think I get the basic concept - but I’m having a bit of trouble porting my apache config over. If you have some free time and don’t mind, could I get some suggestions on how to get things running smoothly on caddy?
Here are some of the parameters I’m working with:
- I’ve moved my site directories to /var/www/ (for example /var/www/makearmy.io.lemmy/)
- A good chuck of our web presence runs on varying php versions, most are running php83
- Note example.whatever.FT directories are running formtools which requires php74
Here are links to my configs:
- httpd.conf
- httpd-vhosts.conf
- httpd-ssl.conf
- Caddyfile (just getting it started)
Any suggestions at all on how to proceed are welcome! Thanks for your input and feedback. It’s been really hard since my buddy passed away and you guys have been a massive help reclaiming our business server he ran for us. Sincerely appreciate your time.
You’re using something in front of caddy right?
Atleast refuse basic headers and close connections
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; server { listen 80 default_server; listen [::]:80 default_server; listen 443 default_server; listen [::]:443 default_server; ssl_certificate certs/server.cert; ssl_certificate_key certs/server.key; server_name _; return 444; #CONNECTION CLOSED WITHOUT RESPONSE }Copy that. Some people have recommended cloudflare I’m looking into it.
Cloudflare tunnels are cheap(free if it’s just a couple), simple, and really great.
Thank you for the resource, I’ll employ it for sure.
Mang, you reeeeeaaallly shouldn’t be posted unredacted service configs on the interwebs.
What info should be redacted 👀 I didn’t realize any of this was particularly sensitive?
Ports, any NAT, internal IPs. The first part of an organized attack is getting environment enumeration down. If a bad actor can map your network they can more efficiently direct their attack.
Thanks for letting me know!
There’s nothing bad per se, but obviously not sharing the inner workings of your internet facing server is just another step to protect yourself.
You mention in the OP this is for a business, my opinion you should be working on a professional resource/developer to manage this for you and not random Lemmy users.
On the use of Caddy, your configs here host a lot of sites with many specific configurations, I’m not sure caddy can support all of this. nginx is the tool of choice for a wide majority of the internet for a good reason.
Okay good feedback thank you I’ll look at nginx too. As far as the professional goes - unfortunately times are tough - budget is tight, but I will look into it long term to shore things up when we’re a little more settled. Going to have to do my best on my own for now.
It can provide useful info for an attacker. I don’t see anything particularly sensitive in these files though.
Thank you for sharing, appreciated.
