caddy-retired/conf/caddy1.conf.bak

367 lines
8.5 KiB
Plaintext

##!/bin/bashit
# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
# TODO
# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
# COMMON DIRECTIVES (add by using import)
# Wildcard cert add to all
(wildcard_cert) {
tls /opt/tls-certs/wc.kebler.net.crt /opt/tls-certs/wc.kebler.net.key {
wildcard
}
}
# inject in all pages a <base href='url'>
(baseurl-gateway) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
}
# inject in all pages a <base href='url'>
(baseurl-nas) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
}
# Only allow lan users access
(lan-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
}
}
# Only allow US users access
(US-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
database /opt/caddy/GeoLite2-Country.mmdb
country US
}
}
# Only allow US users access
(admin-login) {
basicauth "sysadmin" ccbigsismyfriend {
realm "kebler-admin"
/
}
}
#send logs to alternative location
(logs) {
log /opt/caddy/logs/log
errors /opt/caddy/logs/errors
}
#send to stdout instead of logs
(logout) {
log stdout
errors stdout
}
## End Snippets ##############################
################ REDIRECT ########################
# Main http/https redirect for anything arriving on port 80/http
*.kebler.net:80 {
import logs
redir https://{label1}.kebler.net{uri}
}
# Git Server
https://git238.kebler.net {
import wildcard_cert
import US-only
proxy / http://nas.kebler.net:3000
}
# Home Assistant Server
https://ha.kebler.net https://ha238.kebler.net {
import wildcard_cert
import US-only
# import lan-only
import logs
proxy / hassio.kebler.net:8123 {
websocket
transparent
}
}
# NodeRed Server
https://nodered.kebler.net {
import wildcard_cert
import US-only
# import lan-only
proxy / trantor.kebler.net:1880 {
websocket
transparent
}
}
# portainer
https://docker.kebler.net {
import wildcard_cert
import lan-only
proxy / http://nas.kebler.net:9000
}
##################### TRANTOR ######################
# portainer on trantor
https://docker-trantor.kebler.net {
import wildcard_cert
import lan-only
proxy / http://trantor.kebler.net:9000
}
# discourse for nick and david
https://geeks.kebler.net {
import wildcard_cert
proxy / http://trantor.kebler.net:9292 {
transparent
}
}
# mqtt broker setup interface
#https://broker-ui.kebler.net {
# import wildcard_cert
# import lan-only
# proxy / http://nas.kebler.net:18083 {
# }
# }
https://social.kebler.net {
import wildcard_cert
# rewrite {
# if {path} is /
# to /proxy{path}
# }
# rewrite {
# if {path} not_has /graphql
# to {path} /proxy{path}
# }
proxy / 10.0.0.115:3000 {
}
proxy /graphql 10.0.0.115:4000 {
websocket
transparent
}
}
https://npm.kebler.net {
import wildcard_cert
proxy / localhost:4873 {
websocket
transparent
}
}
##### status.kebler.net ###########
https://status.kebler.net {
import wildcard_cert
import US-only
import admin-login
# route to phpfpm's status page here
fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
env SCRIPT_NAME /phpfpm
}
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/status/dist
}
# Router Status running on router
https://status.kebler.net/238/gateway {
import wildcard_cert
import US-only
import admin-login
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
proxy / http://router.kebler.net:19999
}
# NAS Status 238
https://status.kebler.net/238/nas {
import wildcard_cert
import US-only
import admin-login
# add base tag to all pages
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
proxy / http://nas.kebler.net:19999
}
# Systemd Cockpit Access
https://system.kebler.net {
import wildcard_cert
import US-only
# add base tag to all pages
# filter rule {
# content_type text/html.*
# search_pattern <head>
# replacement "<head><base href='https://{request_host}/238/nas/'>"
# }
proxy / http://localhost:9090 {
insecure_skip_verify
websocket
transparent
}
}
# local redirect to 645
https://status.kebler.net/645/nas {
import wildcard_cert
import US-only
proxy / http://645.kebler.net/nas/status
}
################### LOCAL WEBS ############################
https://download.kebler.net {
import wildcard_cert
log /mnt/data/downloads/private/download-log
basicauth "elf" ccbigs {
realm "Protected Downloads"
/private
}
basicauth "download" espressobin {
/espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
}
root /mnt/data/downloads
browse /
}
https://lights.kebler.net {
import wildcard_cert
root /mnt/data/webs/lights-frontend
proxy /socket.io http://10.0.0.115:3031 {
websocket
transparent
}
}
https://wedding.kebler.net {
import wildcard_cert
root /mnt/data/cloud-user-files/david/files/wedding
index wedding.html
}
https://admin.kebler.net {
import wildcard_cert
import lan-only
root /mnt/data/webs/admin
}
https://phpmyadmin.kebler.net {
import wildcard_cert
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/phpmyadmin
}
https://smnordic.org {
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/smnordic
rewrite / {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?_url={uri}
}
}
https://nextcloud.kebler.net https://cloud.kebler.net {
# import logs
import US-only
tls d@kebler.net
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/nextcloud
# log /var/log/nextcloud_access.log
# errors /var/log/nextcloud_errors.log
# checks for images
rewrite {
ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
r ^/index.php/(.+)$
to /{1} /index.php?{1}
}
rewrite {
r ^/index.php/.*$
to /index.php?{query}
}
# client support (e.g. os x calendar / contacts)
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
# remove trailing / as it causes errors with php-fpm
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
to /remote.php/{1}
}
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
to /remote.php/{1}/{2}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
to /public.php/{1}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
to /public.php/{1}/{2}
}
# .htaccess / data / config / ... shouldn't be accessible from outside
status 403 {
/.htacces
/data
/config
/db_structure
/.xml
/README
}
header / {
Strict-Transport-Security "max-age=31536000;"
Referrer-Policy "no-referrer"
}
}