# Caddyfile for Netdata Zulip Bot with mutual TLS # # This configuration provides: # - Automatic HTTPS with Let's Encrypt certificates # - Mutual TLS authentication for Netdata webhooks # - Reverse proxy to the backend bot service # # Usage: # 1. Replace YOUR_DOMAIN with your actual domain # 2. Save the Netdata CA certificate to netdata-ca.pem # 3. Run: caddy run --config Caddyfile YOUR_DOMAIN { # Enable automatic HTTPS with Let's Encrypt tls { # Optional: specify email for Let's Encrypt account # email admin@example.com } # Configure mutual TLS for the /webhook/netdata endpoint @webhook { path /webhook/netdata } # Apply mutual TLS authentication for Netdata webhooks handle @webhook { tls { client_auth { mode require_and_verify trusted_ca_cert_file netdata-ca.pem } } # Reverse proxy to the bot service reverse_proxy localhost:8080 { # Pass client certificate info as headers (optional) header_up X-Client-Cert {http.request.tls.client.certificate_pem} header_up X-Client-Subject {http.request.tls.client.subject} } } # Health check endpoint (no mutual TLS required) handle /health { reverse_proxy localhost:8080 } # Default handler for other paths handle { respond "Not Found" 404 } # Logging log { output file /var/log/caddy/netdata-bot.log { roll_size 100mb roll_keep 10 roll_keep_for 720h } format json level INFO } } # Alternative configuration for testing with self-signed certificates # Uncomment the block below and comment out the main block above # YOUR_DOMAIN { # tls internal # Use Caddy's internal CA for self-signed certificates # # @webhook { # path /webhook/netdata # } # # handle @webhook { # # For testing without mutual TLS # reverse_proxy localhost:8080 # } # # handle /health { # reverse_proxy localhost:8080 # } # # handle { # respond "Not Found" 404 # } # }