{ # Global options - works for both environments email {$LETSENCRYPT_EMAIL} } # Import TLS snippet (must be before service blocks) # Default: Let's Encrypt automatic certificates # Custom: Run 'make setup-tls' to use your own certificates import /etc/caddy/addons/tls-snippet.conf # Appsmith {$APPSMITH_HOSTNAME} { import service_tls reverse_proxy appsmith:80 } # N8N {$N8N_HOSTNAME} { import service_tls reverse_proxy n8n:5678 } # Open WebUI {$WEBUI_HOSTNAME} { import service_tls reverse_proxy open-webui:8080 } # Flowise {$FLOWISE_HOSTNAME} { import service_tls reverse_proxy flowise:3001 } # Dify {$DIFY_HOSTNAME} { import service_tls reverse_proxy nginx:80 } # RAGApp {$RAGAPP_HOSTNAME} { import service_tls basic_auth { {$RAGAPP_USERNAME} {$RAGAPP_PASSWORD_HASH} } reverse_proxy ragapp:8000 } # RAGFlow {$RAGFLOW_HOSTNAME} { import service_tls reverse_proxy ragflow:80 } # Langfuse {$LANGFUSE_HOSTNAME} { import service_tls reverse_proxy langfuse-web:3000 } # Supabase {$SUPABASE_HOSTNAME} { import service_tls reverse_proxy kong:8000 } # Grafana {$GRAFANA_HOSTNAME} { import service_tls reverse_proxy grafana:3000 } # WAHA (WhatsApp HTTP API) {$WAHA_HOSTNAME} { import service_tls reverse_proxy waha:3000 } # Prometheus {$PROMETHEUS_HOSTNAME} { import service_tls basic_auth { {$PROMETHEUS_USERNAME} {$PROMETHEUS_PASSWORD_HASH} } reverse_proxy prometheus:9090 } # Portainer {$PORTAINER_HOSTNAME} { import service_tls reverse_proxy portainer:9000 } # Postiz {$POSTIZ_HOSTNAME} { import service_tls reverse_proxy postiz:5000 } # Temporal UI (workflow orchestration for Postiz) {$TEMPORAL_UI_HOSTNAME} { import service_tls basic_auth { {$TEMPORAL_UI_USERNAME} {$TEMPORAL_UI_PASSWORD_HASH} } reverse_proxy temporal-ui:8080 } # Databasus {$DATABASUS_HOSTNAME} { import service_tls reverse_proxy databasus:4005 } # Letta {$LETTA_HOSTNAME} { import service_tls reverse_proxy letta:8283 } # LightRAG (Graph-based RAG with Knowledge Extraction) {$LIGHTRAG_HOSTNAME} { import service_tls reverse_proxy lightrag:9621 } # Weaviate {$WEAVIATE_HOSTNAME} { import service_tls reverse_proxy weaviate:8080 } # Qdrant {$QDRANT_HOSTNAME} { import service_tls reverse_proxy qdrant:6333 } # ComfyUI {$COMFYUI_HOSTNAME} { import service_tls basic_auth { {$COMFYUI_USERNAME} {$COMFYUI_PASSWORD_HASH} } reverse_proxy comfyui:8188 } # LibreTranslate (Self-hosted Translation API) {$LT_HOSTNAME} { import service_tls basic_auth { {$LT_USERNAME} {$LT_PASSWORD_HASH} } reverse_proxy libretranslate:5000 } # Neo4j {$NEO4J_HOSTNAME} { import service_tls reverse_proxy neo4j:7474 } # Neo4j Bolt Protocol (wss) https://{$NEO4J_HOSTNAME}:7687 { import service_tls reverse_proxy neo4j:7687 } # NocoDB {$NOCODB_HOSTNAME} { import service_tls reverse_proxy nocodb:8080 } # PaddleOCR (PaddleX Basic Serving) {$PADDLEOCR_HOSTNAME} { import service_tls basic_auth { {$PADDLEOCR_USERNAME} {$PADDLEOCR_PASSWORD_HASH} } reverse_proxy paddleocr:8080 } # Docling (Document Conversion API) {$DOCLING_HOSTNAME} { import service_tls basic_auth { {$DOCLING_USERNAME} {$DOCLING_PASSWORD_HASH} } reverse_proxy docling:5001 } # Welcome Page (Post-install dashboard) # HTTP block for Cloudflare Tunnel access (prevents redirect loop) http://{$WELCOME_HOSTNAME} { basic_auth { {$WELCOME_USERNAME} {$WELCOME_PASSWORD_HASH} } root * /srv/welcome file_server try_files {path} /index.html } # HTTPS block for direct access {$WELCOME_HOSTNAME} { import service_tls basic_auth { {$WELCOME_USERNAME} {$WELCOME_PASSWORD_HASH} } root * /srv/welcome file_server try_files {path} /index.html } # Import custom site addons import /etc/caddy/addons/site-*.conf # SearXNG {$SEARXNG_HOSTNAME} { import service_tls @protected not remote_ip 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 basic_auth @protected { {$SEARXNG_USERNAME} {$SEARXNG_PASSWORD_HASH} } encode zstd gzip @api { path /config path /healthz path /stats/errors path /stats/checker } @search { path /search } @imageproxy { path /image_proxy } @static { path /static/* } header { # CSP (https://content-security-policy.com) Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;" # Disable some browser features Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()" # Set referrer policy Referrer-Policy "no-referrer" # Force clients to use HTTPS Strict-Transport-Security "max-age=31536000" # Prevent MIME type sniffing from the declared Content-Type X-Content-Type-Options "nosniff" # X-Robots-Tag (comment to allow site indexing) X-Robots-Tag "noindex, noarchive, nofollow" # Remove "Server" header -Server } header @api { Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Origin "*" } route { # Cache policy header Cache-Control "max-age=0, no-store" header @search Cache-Control "max-age=5, private" header @imageproxy Cache-Control "max-age=604800, public" header @static Cache-Control "max-age=31536000, public, immutable" } # SearXNG (uWSGI) reverse_proxy searxng:8080 { header_up X-Forwarded-Port {http.request.port} header_up X-Real-IP {http.request.remote.host} # https://github.com/searx/searx-docker/issues/24 header_up Connection "close" } }