From d4f54208752cef687fb6b61515a1cd7a8693d999 Mon Sep 17 00:00:00 2001 From: Catherine Date: Sun, 21 Sep 2025 09:38:23 +0000 Subject: [PATCH] Configure Caddy to use HTTP/3. Also, add `Alt-Svc:` headers for both H2 and H3. --- Dockerfile | 5 ++--- conf/Caddyfile | 46 ++++++++++++++++++++++++++++--------------- conf/supervisord.conf | 2 +- fly.toml | 9 +++++++++ 4 files changed, 42 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index c2aee91..a55d63b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,13 +35,12 @@ WORKDIR /app RUN mkdir /app/data COPY conf/supervisord.conf /app/supervisord.conf COPY conf/Caddyfile /app/Caddyfile -RUN caddy adapt -c Caddyfile -p >/app/caddy.json COPY conf/config.toml.example /app/config.toml # Caddy ports: -EXPOSE 80 443 2019 +EXPOSE 80/tcp 443/tcp 443/udp 2019/tcp # git-pages ports: -EXPOSE 3000 3001 3002 +EXPOSE 3000/tcp 3001/tcp 3002/tcp # While the default command is to run git-pages standalone, the intended configuration # is to use it with Caddy and store both site data and credentials to an S3-compatible diff --git a/conf/Caddyfile b/conf/Caddyfile index 5f46415..2fd9ce6 100644 --- a/conf/Caddyfile +++ b/conf/Caddyfile @@ -40,33 +40,47 @@ protocols h1 h2 } + servers {$UDP_BIND_TO:0.0.0.0}:443 { + name http3 + protocols h3 + } + servers :2002 { name health protocols h1 } } -(backend_pages) { - @h2c `{env.FEATURES}.matches(r"\bh2c\b")` - reverse_proxy @h2c h2c://{$GIT_PAGES_ADDRESS:localhost}:3000 - reverse_proxy http://{$GIT_PAGES_ADDRESS:localhost}:3000 -} - -http:// { - @get method GET - redir @get https://{host}{uri} 301 - - # initial PUT/POST for a new domain has to happen over HTTP - import backend_pages -} - -https:// { +(backend) { tls { on_demand } + @h2c `{env.FEATURES}.matches(r"\bh2c\b")` + reverse_proxy @h2c h2c://{$GIT_PAGES_ADDRESS:localhost}:3000 + reverse_proxy http://{$GIT_PAGES_ADDRESS:localhost}:3000 + + header Alt-Svc `h3=":443"; persist=1, h2=":443"; persist=1` encode - import backend_pages +} + +http:// { + # initial PUT/POST for a new domain has to happen over HTTP + @get method GET + redir @get https://{host}{uri} 301 + + import backend +} + +https:// { + import backend +} + +https:// { + # Fly.io requires UDP sockets to be bound to a different IP + bind {$UDP_BIND_TO:0.0.0.0} + + import backend } http://localhost:2002 { diff --git a/conf/supervisord.conf b/conf/supervisord.conf index 2e0b9f8..0376005 100644 --- a/conf/supervisord.conf +++ b/conf/supervisord.conf @@ -12,5 +12,5 @@ autorestart = true command = /bin/git-pages [program:caddy] -command = /bin/caddy run -c caddy.json +command = /bin/caddy run depends_on = pages diff --git a/fly.toml b/fly.toml index f5c0cfa..9be959a 100644 --- a/fly.toml +++ b/fly.toml @@ -17,6 +17,7 @@ cpus = 2 memory = 512 [env] +UDP_BIND_TO = "fly-global-services" AUTOMEMLIMIT = "0.25" [[files]] @@ -37,6 +38,14 @@ ports = [{ port = 443 }] auto_stop_machines = "stop" auto_start_machines = true +# NB: Fly.io does not support UDP on public IPv6 +[[services]] +internal_port = 443 +protocol = "udp" +ports = [{ port = 443 }] +auto_stop_machines = "stop" +auto_start_machines = true + [checks.health] type = "http" method = "get"