feat(caddy): add tls internal vhosts for upstream mirror hosts
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,9 @@
|
||||
# auto_https off would disable TLS entirely, breaking `tls internal` for the
|
||||
# air-gap mirror vhosts. disable_redirects keeps the apex/auth/packwiz sites
|
||||
# plaintext on :80 (they use explicit http://) while still allowing internal
|
||||
# TLS on the mirror hosts below.
|
||||
{
|
||||
auto_https off
|
||||
auto_https disable_redirects
|
||||
}
|
||||
|
||||
http://{$BASE_DOMAIN} {
|
||||
@@ -15,3 +19,13 @@ http://packwiz.{$BASE_DOMAIN} {
|
||||
root * /srv/pack
|
||||
file_server browse
|
||||
}
|
||||
|
||||
# Full client air-gap mirror (see plan/11-full-airgap-mirror.md): byte-exact
|
||||
# copies of the real upstream hosts served over HTTPS with Caddy's local CA.
|
||||
# dnsmasq spoofs these hostnames -> our host; the {host} placeholder roots each
|
||||
# hostname at its own mirror subtree. Guests import the Caddy root CA once.
|
||||
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
|
||||
tls internal
|
||||
root * /srv/mirror/{host}
|
||||
file_server
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user