From 0f12c5f5a842823c950f741858d6319313c2f63b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= Date: Sun, 22 Mar 2026 12:22:00 +0100 Subject: [PATCH] added basic caddy rate limits --- caddy/Caddyfile | 10 ++++++++++ review.md | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 7b3dac7..1af1e86 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,3 +1,13 @@ +{ + servers { + timeouts { + read_header 10s + idle 60s + } + max_header_size 16KB + } +} + nextcloud.t-gstone.de { reverse_proxy nextcloud:80 diff --git a/review.md b/review.md index 617227e..19778f3 100644 --- a/review.md +++ b/review.md @@ -9,6 +9,6 @@ | 5 | High | `scripts/restore.sh:68` | `psql -U nextcloud` hardcodes DB username instead of reading from env | DONE | | 6 | High | `scripts/deploy.sh:13` | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation | DONE | | 7 | Medium | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access | DONE | -| 8 | Medium | `caddy/Caddyfile` | No rate limiting configured at the reverse proxy layer | TODO | +| 8 | Medium | `caddy/Caddyfile` | No rate limiting configured at the reverse proxy layer | DONE | | 9 | Low | `gitea/docker-compose.yml` | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does | TODO | | 10 | Low | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version | TODO |