##!/bin/bashit # KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX # 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 # TODO # change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization # COMMON DIRECTIVES (add by using import) # Wildcard cert add to all (wildcard_cert) { tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key { wildcard } } # inject in all pages a (baseurl-gateway) { filter rule { content_type text/html.* search_pattern replacement "" } } # inject in all pages a (baseurl-nas) { filter rule { content_type text/html.* search_pattern replacement "" } } # Only allow lan users access (lan-only) { ipfilter / { rule allow ip 10.0.0.0/24 } } # Only allow US users access (US-only) { ipfilter / { rule allow ip 10.0.0.0/24 database /opt/caddy/GeoLite2-Country.mmdb country US } } # Only allow US users access (admin-login) { basicauth "sysadmin" ccbigsismyfriend { realm "kebler-admin" / } } #send logs to alternative location (logs) { log /opt/caddy/logs/log # errors /opt/caddy/logs/errors } #send to stdout instead of logs (logout) { log stdout errors stdout } ## End Snippets ############################## ################ REDIRECT ######################## # Main http/https redirect for anything arriving on port 80/http *.kebler.net:80 { import logs redir https://{label1}.kebler.net{uri} } # Git Server https://git238.kebler.net { import wildcard_cert import US-only proxy / http://nas.kebler.net:3000 } # Home Assistant Server https://ha.kebler.net https://ha238.kebler.net { import wildcard_cert import US-only # import lan-only import logs proxy / hassio.kebler.net:8123 { websocket transparent } } # NodeRed Server https://nodered.kebler.net { import wildcard_cert import US-only # import lan-only proxy / trantor.kebler.net:1880 { websocket transparent } } # portainer https://docker.kebler.net { import wildcard_cert import lan-only proxy / http://nas.kebler.net:9000 } ##################### TRANTOR ###################### # portainer on trantor https://docker-trantor.kebler.net { import wildcard_cert import lan-only proxy / http://trantor.kebler.net:9000 } # discourse for nick and david https://geeks.kebler.net { import wildcard_cert proxy / http://trantor.kebler.net:9292 { transparent } } # mqtt broker setup interface #https://broker-ui.kebler.net { # import wildcard_cert # import lan-only # proxy / http://nas.kebler.net:18083 { # } # } https://social.kebler.net { import wildcard_cert # rewrite { # if {path} is / # to /proxy{path} # } # rewrite { # if {path} not_has /graphql # to {path} /proxy{path} # } proxy / 10.0.0.115:3000 { } proxy /graphql 10.0.0.115:4000 { websocket transparent } } https://npm.kebler.net { import wildcard_cert proxy / localhost:4873 { websocket transparent } } ##### status.kebler.net ########### https://status.kebler.net { import wildcard_cert import US-only import admin-login # route to phpfpm's status page here fastcgi /phpfpm /var/run/php/php7.2-fpm.sock { env SCRIPT_NAME /phpfpm } fastcgi / /var/run/php/php7.2-fpm.sock php root /mnt/data/webs/status/dist } # Router Status running on router https://status.kebler.net/238/gateway { import wildcard_cert import US-only import admin-login filter rule { content_type text/html.* search_pattern replacement "" } proxy / http://router.kebler.net:19999 } # NAS Status 238 https://status.kebler.net/238/nas { import wildcard_cert import US-only import admin-login # add base tag to all pages filter rule { content_type text/html.* search_pattern replacement "" } proxy / http://nas.kebler.net:19999 } # Systemd Cockpit Access https://system.kebler.net { import wildcard_cert import US-only # add base tag to all pages # filter rule { # content_type text/html.* # search_pattern # replacement "" # } proxy / http://localhost:9090 { insecure_skip_verify websocket transparent } } # local redirect to 645 https://status.kebler.net/645/nas { import wildcard_cert import US-only proxy / http://645.kebler.net/nas/status } ################### LOCAL WEBS ############################ https://download.kebler.net { import wildcard_cert log /mnt/data/downloads/private/download-log basicauth "elf" ccbigs { realm "Protected Downloads" /private } basicauth "download" espressobin { /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz } root /mnt/data/downloads browse / } https://lights.kebler.net { import wildcard_cert root /mnt/data/webs/lights-frontend proxy /socket.io http://10.0.0.115:3031 { websocket transparent } } https://wedding.kebler.net { import wildcard_cert root /mnt/data/cloud-user-files/david/files/wedding index wedding.html } https://admin.kebler.net { import wildcard_cert import lan-only root /mnt/data/webs/admin } https://phpmyadmin.kebler.net { import wildcard_cert fastcgi / /var/run/php/php7.2-fpm.sock php root /mnt/data/webs/phpmyadmin } https://smnordic.org { fastcgi / /var/run/php/php7.2-fpm.sock php root /mnt/data/webs/smnordic rewrite / { if {path} not_match ^\/wp-admin to {path} {path}/ /index.php?_url={uri} } } https://nextcloud.kebler.net https://cloud.kebler.net { # import logs import US-only tls d@kebler.net fastcgi / /var/run/php/php7.2-fpm.sock php root /mnt/data/webs/nextcloud # log /var/log/nextcloud_access.log # errors /var/log/nextcloud_errors.log # checks for images rewrite { ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg r ^/index.php/(.+)$ to /{1} /index.php?{1} } rewrite { r ^/index.php/.*$ to /index.php?{query} } # client support (e.g. os x calendar / contacts) redir /.well-known/carddav /remote.php/carddav 301 redir /.well-known/caldav /remote.php/caldav 301 # remove trailing / as it causes errors with php-fpm rewrite { r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$ to /remote.php/{1} } rewrite { r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$ to /remote.php/{1}/{2} } rewrite { r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$ to /public.php/{1} } rewrite { r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$ to /public.php/{1}/{2} } # .htaccess / data / config / ... shouldn't be accessible from outside status 403 { /.htacces /data /config /db_structure /.xml /README } header / { Strict-Transport-Security "max-age=31536000;" Referrer-Policy "no-referrer" } }