Lovely, thank you!
For anyone watching / the future / my future self, here’s the final thing for now:
{
{$CADDY_GLOBAL_OPTIONS}
admin localhost:{$CADDY_SERVER_ADMIN_PORT}
frankenphp {
worker "{$APP_PUBLIC_PATH}/frankenphp-worker.php" {$CADDY_SERVER_WORKER_COUNT}
}
}
{$CADDY_SERVER_SERVER_NAME} {
log {
level {$CADDY_SERVER_LOG_LEVEL}
# Redact the authorization query parameter that can be set by Mercure...
format filter {
wrap {$CADDY_SERVER_LOGGER}
fields {
uri query {
replace authorization REDACTED
}
}
}
}
route {
root * "{$APP_PUBLIC_PATH}"
encode zstd br gzip
# Mercure configuration is injected here...
{$CADDY_SERVER_EXTRA_DIRECTIVES}
@static {
file
path *.js *.css *.jpg *.jpeg *.gif *.png *.ico *.cur *.gz *.svg *.svgz *.mp4 *.mp3 *.ogg *.ogv *.webm *.htc *.woff2 *.woff
}
@staticshort {
file
path *.json *.xml *.rss
}
# 1 year, similar to h5bp nginx config
header @static Cache-Control "public, immutable, stale-while-revalidate, max-age=31536000"
# 1 hour max, gets validated with the origin server
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#no-cache
header @staticshort Cache-Control "no-cache, max-age=3600"
# Restrict access to dot files and certain file extensions
@rejected `path('*.bak', '*.conf', '*.dist', '*.fla', '*.ini', '*.inc', '*.inci', '*.log', '*.orig', '*.psd', '*.sh', '*.sql', '*.swo', '*.swp', '*.swop', '*/.*') && !path('*/.well-known/')`
error @rejected 401
php_server {
index frankenphp-worker.php
# Required for the public/storage/ directory...
resolve_root_symlink
}
}
}
This gets (not totally but pretty close) on par to caching + secure file access to H5BP’s nginx configuration.