# ============================================================================ # StreamAI Studio - Caddyfile # Proxy reverso com SSL automático (Let's Encrypt) # ============================================================================ # Configuração Global { email seu-email@exemplo.com admin off # Logs estruturados log { output file /var/log/caddy/access.log { roll_size 100mb roll_keep 10 } format json } } # ============================================================================ # DOMÍNIO PRINCIPAL - Dashboard # ============================================================================ streamai.seudominio.com { # SSL automático via Let's Encrypt tls { protocols tls1.2 tls1.3 } # Compressão encode gzip zstd # Headers de segurança header { # HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Previne clickjacking X-Frame-Options "SAMEORIGIN" # XSS Protection X-Content-Type-Options "nosniff" X-XSS-Protection "1; mode=block" # Referrer Policy Referrer-Policy "strict-origin-when-cross-origin" # CSP Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: https:;" # Remove server header -Server } # Frontend React reverse_proxy streamai-dashboard:3000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } # Logs customizados log { output file /var/log/caddy/streamai-dashboard.log } } # ============================================================================ # API - Backend FastAPI # ============================================================================ api.seudominio.com { tls { protocols tls1.2 tls1.3 } encode gzip zstd # Rate limiting rate_limit { zone dynamic_api { key {remote_host} events 100 window 1m } } # CORS headers (se necessário) @cors_preflight { method OPTIONS } handle @cors_preflight { header { Access-Control-Allow-Origin "*" Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" Access-Control-Allow-Headers "Content-Type, Authorization" Access-Control-Max-Age "86400" } respond 204 } # WebSocket support @websocket { header Connection *Upgrade* header Upgrade websocket } handle @websocket { reverse_proxy streamai-api:8000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } # API Routes reverse_proxy streamai-api:8000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} # Health check health_uri /health health_interval 30s health_timeout 5s # Load balancing (se múltiplas instâncias) # lb_policy round_robin } log { output file /var/log/caddy/api.log } } # ============================================================================ # WEBHOOKS - Endpoint público para receber eventos # ============================================================================ webhooks.seudominio.com { tls { protocols tls1.2 tls1.3 } # Rate limiting mais restritivo rate_limit { zone webhooks { key {remote_host} events 1000 window 1m } } # Valida User-Agent (opcional) @block_bad_ua { header User-Agent *bot* header User-Agent *curl* header User-Agent *wget* } # Rota para webhook-receiver reverse_proxy webhook-receiver:8001 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} # Timeout maior para webhooks timeout 60s } log { output file /var/log/caddy/webhooks.log } } # ============================================================================ # STREAMING - HLS/DASH endpoints # ============================================================================ stream.seudominio.com { tls { protocols tls1.2 tls1.3 } encode gzip # CORS para permitir player de qualquer origem header { Access-Control-Allow-Origin "*" Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Max-Age "86400" Cache-Control "no-cache" } # HLS Manifests handle /hls/* { reverse_proxy nginx-rtmp:8080 { header_up X-Real-IP {remote_host} } } # DASH Manifests handle /dash/* { reverse_proxy nginx-rtmp:8080 { header_up X-Real-IP {remote_host} } } # Stats page handle /stats { reverse_proxy nginx-rtmp:8080 { header_up X-Real-IP {remote_host} } } log { output file /var/log/caddy/stream.log } } # ============================================================================ # MÉTRICAS - Prometheus & Grafana # ============================================================================ metrics.seudominio.com { tls { protocols tls1.2 tls1.3 } # Autenticação básica basicauth { admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx7wNff4ynbxm } # Prometheus handle /prometheus/* { uri strip_prefix /prometheus reverse_proxy prometheus:9090 } # Grafana handle /* { reverse_proxy grafana:3000 } } # ============================================================================ # STORAGE - MinIO S3-compatible storage # ============================================================================ storage.seudominio.com { tls { protocols tls1.2 tls1.3 } # MinIO API handle /api/* { reverse_proxy minio:9000 } # MinIO Console handle /* { reverse_proxy minio:9001 } } # ============================================================================ # RTMP Redirect (para uso externo) # ============================================================================ rtmp.seudominio.com { # Apenas documentação, RTMP não funciona sobre HTTP respond "RTMP Server: rtmp://rtmp.seudominio.com:1935/live" 200 header Content-Type "text/plain" } # ============================================================================ # REDIRECIONAMENTO - www para non-www # ============================================================================ www.seudominio.com { redir https://seudominio.com{uri} permanent } # ============================================================================ # SUBDOMÍNIO WILDCARD para testes # ============================================================================ *.dev.seudominio.com { tls { protocols tls1.2 tls1.3 } # Direciona para diferentes serviços baseado em subdomínio @api host api.dev.seudominio.com handle @api { reverse_proxy streamai-api:8000 } @dashboard host dashboard.dev.seudominio.com handle @dashboard { reverse_proxy streamai-dashboard:3000 } # Fallback handle { respond "StreamAI Dev Environment" 200 } } # ============================================================================ # IP DIRETO (desenvolvimento local) # ============================================================================ :80 { # Redireciona para HTTPS em produção # Em dev, pode servir diretamente handle /api/* { reverse_proxy streamai-api:8000 } handle /* { reverse_proxy streamai-dashboard:3000 } } # ============================================================================ # INSTRUÇÕES DE USO # ============================================================================ # 1. Substitua "seudominio.com" pelo seu domínio real # 2. Configure DNS A records apontando para seu servidor: # streamai.seudominio.com → IP_DO_SERVIDOR # api.seudominio.com → IP_DO_SERVIDOR # webhooks.seudominio.com → IP_DO_SERVIDOR # stream.seudominio.com → IP_DO_SERVIDOR # metrics.seudominio.com → IP_DO_SERVIDOR # storage.seudominio.com → IP_DO_SERVIDOR # 3. Gerar senha para basicauth: # caddy hash-password # (copie o hash gerado para basicauth acima) # 4. Iniciar Caddy: # docker-compose up -d caddy # 5. Verificar logs: # docker-compose logs -f caddy # 6. Renovação de certificados é automática! # ============================================================================ # PORTAS NECESSÁRIAS NO FIREWALL # ============================================================================ # TCP 80 - HTTP (redireciona para HTTPS) # TCP 443 - HTTPS # TCP 1935 - RTMP (streaming) # Comandos UFW (Ubuntu): # sudo ufw allow 80/tcp # sudo ufw allow 443/tcp # sudo ufw allow 1935/tcp