367 lines
8.5 KiB
Plaintext
367 lines
8.5 KiB
Plaintext
##!/bin/bashit
|
|
# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
|
|
|
|
# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
|
|
|
|
# TODO
|
|
# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
|
|
|
|
|
|
# COMMON DIRECTIVES (add by using import)
|
|
|
|
# Wildcard cert add to all
|
|
(wildcard_cert) {
|
|
tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key {
|
|
wildcard
|
|
}
|
|
}
|
|
|
|
# inject in all pages a <base href='url'>
|
|
(baseurl-gateway) {
|
|
filter rule {
|
|
content_type text/html.*
|
|
search_pattern <head>
|
|
replacement "<head><base href='https://{request_host}/238/gateway/'>"
|
|
}
|
|
}
|
|
|
|
# inject in all pages a <base href='url'>
|
|
(baseurl-nas) {
|
|
filter rule {
|
|
content_type text/html.*
|
|
search_pattern <head>
|
|
replacement "<head><base href='https://{request_host}/238/nas/'>"
|
|
}
|
|
}
|
|
|
|
# Only allow lan users access
|
|
(lan-only) {
|
|
ipfilter / {
|
|
rule allow
|
|
ip 10.0.0.0/24
|
|
}
|
|
}
|
|
|
|
# Only allow US users access
|
|
(US-only) {
|
|
ipfilter / {
|
|
rule allow
|
|
ip 10.0.0.0/24
|
|
database /opt/caddy/GeoLite2-Country.mmdb
|
|
country US
|
|
}
|
|
}
|
|
|
|
# Only allow US users access
|
|
(admin-login) {
|
|
basicauth "sysadmin" ccbigsismyfriend {
|
|
realm "kebler-admin"
|
|
/
|
|
}
|
|
}
|
|
|
|
#send logs to alternative location
|
|
(logs) {
|
|
log /opt/caddy/logs/log
|
|
# errors /opt/caddy/logs/errors
|
|
}
|
|
|
|
#send to stdout instead of logs
|
|
(logout) {
|
|
log stdout
|
|
errors stdout
|
|
}
|
|
## End Snippets ##############################
|
|
|
|
|
|
################ REDIRECT ########################
|
|
|
|
# Main http/https redirect for anything arriving on port 80/http
|
|
*.kebler.net:80 {
|
|
import logs
|
|
redir https://{label1}.kebler.net{uri}
|
|
}
|
|
|
|
|
|
# Git Server
|
|
https://git238.kebler.net {
|
|
import wildcard_cert
|
|
import US-only
|
|
proxy / http://nas.kebler.net:3000
|
|
}
|
|
|
|
# Home Assistant Server
|
|
https://ha.kebler.net https://ha238.kebler.net {
|
|
import wildcard_cert
|
|
import US-only
|
|
# import lan-only
|
|
import logs
|
|
proxy / hassio.kebler.net:8123 {
|
|
websocket
|
|
transparent
|
|
}
|
|
}
|
|
|
|
# NodeRed Server
|
|
https://nodered.kebler.net {
|
|
import wildcard_cert
|
|
import US-only
|
|
# import lan-only
|
|
proxy / trantor.kebler.net:1880 {
|
|
websocket
|
|
transparent
|
|
}
|
|
}
|
|
|
|
# portainer
|
|
https://docker.kebler.net {
|
|
import wildcard_cert
|
|
import lan-only
|
|
proxy / http://nas.kebler.net:9000
|
|
}
|
|
|
|
|
|
##################### TRANTOR ######################
|
|
|
|
# portainer on trantor
|
|
https://docker-trantor.kebler.net {
|
|
import wildcard_cert
|
|
import lan-only
|
|
proxy / http://trantor.kebler.net:9000
|
|
}
|
|
|
|
# discourse for nick and david
|
|
https://geeks.kebler.net {
|
|
import wildcard_cert
|
|
proxy / http://trantor.kebler.net:9292 {
|
|
transparent
|
|
}
|
|
}
|
|
|
|
|
|
# mqtt broker setup interface
|
|
#https://broker-ui.kebler.net {
|
|
# import wildcard_cert
|
|
# import lan-only
|
|
# proxy / http://nas.kebler.net:18083 {
|
|
# }
|
|
# }
|
|
|
|
|
|
https://social.kebler.net {
|
|
import wildcard_cert
|
|
|
|
# rewrite {
|
|
# if {path} is /
|
|
# to /proxy{path}
|
|
# }
|
|
|
|
# rewrite {
|
|
# if {path} not_has /graphql
|
|
# to {path} /proxy{path}
|
|
# }
|
|
|
|
proxy / 10.0.0.115:3000 {
|
|
}
|
|
|
|
proxy /graphql 10.0.0.115:4000 {
|
|
websocket
|
|
transparent
|
|
}
|
|
|
|
}
|
|
|
|
https://npm.kebler.net {
|
|
import wildcard_cert
|
|
proxy / localhost:4873 {
|
|
websocket
|
|
transparent
|
|
}
|
|
}
|
|
|
|
##### status.kebler.net ###########
|
|
|
|
https://status.kebler.net {
|
|
import wildcard_cert
|
|
import US-only
|
|
import admin-login
|
|
# route to phpfpm's status page here
|
|
fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
|
|
env SCRIPT_NAME /phpfpm
|
|
}
|
|
fastcgi / /var/run/php/php7.2-fpm.sock php
|
|
root /mnt/data/webs/status/dist
|
|
}
|
|
|
|
|
|
# Router Status running on router
|
|
https://status.kebler.net/238/gateway {
|
|
import wildcard_cert
|
|
import US-only
|
|
import admin-login
|
|
filter rule {
|
|
content_type text/html.*
|
|
search_pattern <head>
|
|
replacement "<head><base href='https://{request_host}/238/gateway/'>"
|
|
}
|
|
proxy / http://router.kebler.net:19999
|
|
}
|
|
|
|
# NAS Status 238
|
|
https://status.kebler.net/238/nas {
|
|
import wildcard_cert
|
|
import US-only
|
|
import admin-login
|
|
# add base tag to all pages
|
|
filter rule {
|
|
content_type text/html.*
|
|
search_pattern <head>
|
|
replacement "<head><base href='https://{request_host}/238/nas/'>"
|
|
}
|
|
proxy / http://nas.kebler.net:19999
|
|
}
|
|
|
|
# Systemd Cockpit Access
|
|
https://system.kebler.net {
|
|
import wildcard_cert
|
|
import US-only
|
|
# add base tag to all pages
|
|
# filter rule {
|
|
# content_type text/html.*
|
|
# search_pattern <head>
|
|
# replacement "<head><base href='https://{request_host}/238/nas/'>"
|
|
# }
|
|
proxy / http://localhost:9090 {
|
|
insecure_skip_verify
|
|
websocket
|
|
transparent
|
|
}
|
|
}
|
|
|
|
# local redirect to 645
|
|
https://status.kebler.net/645/nas {
|
|
import wildcard_cert
|
|
import US-only
|
|
proxy / http://645.kebler.net/nas/status
|
|
}
|
|
|
|
|
|
################### LOCAL WEBS ############################
|
|
|
|
https://download.kebler.net {
|
|
import wildcard_cert
|
|
log /mnt/data/downloads/private/download-log
|
|
basicauth "elf" ccbigs {
|
|
realm "Protected Downloads"
|
|
/private
|
|
}
|
|
basicauth "download" espressobin {
|
|
/espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
|
|
}
|
|
root /mnt/data/downloads
|
|
browse /
|
|
}
|
|
|
|
https://lights.kebler.net {
|
|
import wildcard_cert
|
|
root /mnt/data/webs/lights-frontend
|
|
proxy /socket.io http://10.0.0.115:3031 {
|
|
websocket
|
|
transparent
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
https://wedding.kebler.net {
|
|
import wildcard_cert
|
|
root /mnt/data/cloud-user-files/david/files/wedding
|
|
index wedding.html
|
|
}
|
|
|
|
|
|
https://admin.kebler.net {
|
|
import wildcard_cert
|
|
import lan-only
|
|
root /mnt/data/webs/admin
|
|
}
|
|
|
|
https://phpmyadmin.kebler.net {
|
|
import wildcard_cert
|
|
fastcgi / /var/run/php/php7.2-fpm.sock php
|
|
root /mnt/data/webs/phpmyadmin
|
|
}
|
|
|
|
https://smnordic.org {
|
|
fastcgi / /var/run/php/php7.2-fpm.sock php
|
|
root /mnt/data/webs/smnordic
|
|
rewrite / {
|
|
if {path} not_match ^\/wp-admin
|
|
to {path} {path}/ /index.php?_url={uri}
|
|
}
|
|
}
|
|
|
|
https://nextcloud.kebler.net https://cloud.kebler.net {
|
|
# import logs
|
|
import US-only
|
|
tls d@kebler.net
|
|
fastcgi / /var/run/php/php7.2-fpm.sock php
|
|
root /mnt/data/webs/nextcloud
|
|
# log /var/log/nextcloud_access.log
|
|
# errors /var/log/nextcloud_errors.log
|
|
|
|
# checks for images
|
|
rewrite {
|
|
ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
|
|
r ^/index.php/(.+)$
|
|
to /{1} /index.php?{1}
|
|
}
|
|
|
|
rewrite {
|
|
r ^/index.php/.*$
|
|
to /index.php?{query}
|
|
}
|
|
|
|
# client support (e.g. os x calendar / contacts)
|
|
redir /.well-known/carddav /remote.php/carddav 301
|
|
redir /.well-known/caldav /remote.php/caldav 301
|
|
|
|
# remove trailing / as it causes errors with php-fpm
|
|
rewrite {
|
|
r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
|
|
to /remote.php/{1}
|
|
}
|
|
|
|
rewrite {
|
|
r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
|
|
to /remote.php/{1}/{2}
|
|
}
|
|
|
|
rewrite {
|
|
r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
|
|
to /public.php/{1}
|
|
}
|
|
|
|
rewrite {
|
|
r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
|
|
to /public.php/{1}/{2}
|
|
}
|
|
|
|
# .htaccess / data / config / ... shouldn't be accessible from outside
|
|
status 403 {
|
|
/.htacces
|
|
/data
|
|
/config
|
|
/db_structure
|
|
/.xml
|
|
/README
|
|
}
|
|
|
|
header / {
|
|
Strict-Transport-Security "max-age=31536000;"
|
|
Referrer-Policy "no-referrer"
|
|
}
|
|
|
|
}
|