reef/web.config.example at main · melosso/reef · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>

    <!-- Enable ARR proxy -->
    <proxy enabled="true" preserveHostHeader="true" reverseRewriteHostInResponseHeaders="false" />

    <rewrite>
      <rules>

        <!-- Optional: redirect /api to /api/ -->
        <rule name="ForceAPITrailingSlash" stopProcessing="true">
          <match url="^api$" />
          <action type="Redirect" url="/api/" redirectType="Permanent" />
        </rule>

        <!-- Proxy /health -->
        <rule name="ProxyHealth" stopProcessing="true">
          <match url="^health$" />
          <action type="Rewrite" url="http://localhost:8085/health" />
          <serverVariables>
            <set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
            <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
            <set name="HTTP_X_FORWARDED_PROTO" value="http" />
          </serverVariables>
        </rule>

        <!-- Proxy /api and /api/... -->
        <rule name="ProxyAPI" stopProcessing="true">
          <match url="^api(/.*)?$" />
          <action type="Rewrite" url="http://localhost:8085/api{R:1}" />
          <serverVariables>
            <set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
            <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
            <set name="HTTP_X_FORWARDED_PROTO" value="http" />
          </serverVariables>
        </rule>

        <!-- Block all other requests → serve JSON -->
        <rule name="BlockOther" stopProcessing="true">
          <match url=".*" />
          <conditions>
            <add input="{REQUEST_URI}" pattern="^/health" negate="true" />
            <add input="{REQUEST_URI}" pattern="^/api" negate="true" />
          </conditions>
          <action type="Rewrite" url="/error401.json" />
        </rule>

      </rules>
    </rewrite>

    <!-- Security headers -->
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Content-Type-Options" />
        <remove name="X-Frame-Options" />
        <remove name="Strict-Transport-Security" />
        <remove name="Referrer-Policy" />
        <remove name="Permissions-Policy" />
        <remove name="Content-Security-Policy" />

        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="X-Frame-Options" value="DENY" />
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
        <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
        <add name="Permissions-Policy" value="geolocation=(), camera=(), microphone=(), payment=()" />
        <add name="Content-Security-Policy"
             value="default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; img-src 'self'; script-src 'self'; style-src 'self'; connect-src 'self' http://localhost:8085; manifest-src 'self'; font-src 'self';" />
      </customHeaders>
    </httpProtocol>

  </system.webServer>
</configuration>