fix: round 10 critical fixes - WebSocket race, rate limiting, XSS protection, Caddyfile, and input validation

2026-05-20 17:59:22 +08:00
parent a5b5713b29
commit 20cdcc748e
10 changed files with 336 additions and 25 deletions
@@ -0,0 +1,50 @@
+# Caddyfile — Cyrene AI 助手平台反向代理
+# Caddy version: 2.x
+
+{
+	# 全局配置
+	email {$ACME_EMAIL:admin@localhost}
+	admin off
+}
+
+# 默认站点
+:80 {
+	# 访问日志
+	log {
+		output stdout
+		format json
+	}
+
+	# 安全头
+	header {
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		# 生产环境启用 HSTS
+		# Strict-Transport-Security "max-age=31536000; includeSubDomains"
+	}
+
+	# WebSocket 路由 (需放在 API 路由之前以匹配优先级)
+	handle_path /ws/* {
+		reverse_proxy gateway:8080 {
+			# WebSocket 支持
+			header_up Host {http.request.host}
+		}
+	}
+
+	# API 路由 → Gateway
+	handle_path /api/* {
+		reverse_proxy gateway:8080 {
+			header_up Host {http.request.host}
+			header_up X-Forwarded-For {http.request.remote.host}
+			header_up X-Forwarded-Proto {http.request.scheme}
+		}
+	}
+
+	# 前端静态文件 (未来可改为反代到 frontend 容器)
+	handle {
+		# 默认响应 — 前端尚未部署时使用
+		respond "Cyrene AI Platform — Frontend coming soon." 200
+	}
+}