From 105e2f0d40e9e78c54ce0b79725fdf124b6f023c Mon Sep 17 00:00:00 2001 From: gitea Date: Sun, 24 Mar 2024 23:15:27 +0100 Subject: [PATCH] first commit --- .gitignore | 10 ++++ Caddyfile | 137 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+) create mode 100644 .gitignore create mode 100644 Caddyfile diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..af03408 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +# Ignore everything +* + +# But not these files... +!.gitignore +!Caddyfile + +# ...even if they are in subdirectories +!*/ + diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..3efb1aa --- /dev/null +++ b/Caddyfile @@ -0,0 +1,137 @@ +(headers_reverseproxy_nextcloud) { + header { + Strict-Transport-Security "max-age=31536000; includeSubdomains" + } +} + +(headers_reverseproxy) { + header { + Strict-Transport-Security "max-age=31536000; includeSubdomains" + X-XSS-Protection "1; mode=block" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "same-origin" + } +} +(logging) { + log { + output file caddy_access_{args.0}.log { + roll_size 32mb + roll_keep 5 + roll_keep_for 720h + } + } +} + +https://origine.nsupdate.info { + import headers_reverseproxy + reverse_proxy 192.168.1.2:8123 + import logging origine.nsupdate.info +} + +adguard.nsupdate.info { + reverse_proxy 192.168.1.3:85 + import logging adguard.nsupdate.info +} + +adminer.nsupdate.info { + reverse_proxy 192.168.1.3:82 + import logging adminer.nsupdate.info +} + +next.nsupdate.info { + import headers_reverseproxy_nextcloud + rewrite /.well-known/carddav /remote.php/dav + rewrite /.well-known/caldav /remote.php/dav + reverse_proxy 192.168.1.3:83 + import logging next.nsupdate.info +} + +tty.nsupdate.info { + rewrite / /wetty{uri} + reverse_proxy 192.168.1.3:3333 +# import logging tty.nsupdate.info +} + +bloggy.nsupdate.info { + reverse_proxy 192.168.1.3:84 + import logging bloggy.nsupdate.info +} + + +ntfy.nsupdate.info { + reverse_proxy 192.168.1.3:87 + import logging ntfy.nsupdate.info +} + +motion.nsupdate.info { + reverse_proxy 192.168.1.3:8081 + import logging motion.nsupdate.info +} + + +tag.nsupdate.info { + reverse_proxy 192.168.1.3:88 + import logging tag.nsupdate.info +} + +#netdisco.nsupdate.info { +# reverse_proxy 192.168.1.3:5000 +# import logging netdisco.nsupdate.info +#} + + + + +vault.nsupdate.info { + + + # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL). + # tls {$EMAIL} + + # Or uncomment this if you're providing your own cert. You would also use this option + # if you're running behind Cloudflare. + # tls {$SSL_CERT_PATH} {$SSL_KEY_PATH} + + # This setting may have compatibility issues with some browsers + # (e.g., attachment downloading on Firefox). Try disabling this + # if you encounter issues. + encode gzip + + # Uncomment to improve security (WARNING: only use if you understand the implications!) + # header { + # # Enable HTTP Strict Transport Security (HSTS) + # Strict-Transport-Security "max-age=31536000;" + # # Enable cross-site filter (XSS) and tell browser to block detected attacks + # X-XSS-Protection "1; mode=block" + # # Disallow the site to be rendered within a frame (clickjacking protection) + # X-Frame-Options "DENY" + # # Prevent search engines from indexing (optional) + # X-Robots-Tag "none" + # # Server name removing + # -Server + # } + + # Uncomment to allow access to the admin interface only from local networks + # @insecureadmin { + # not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 + # path /admin* + # } + # redir @insecureadmin / + + # Notifications redirected to the websockets server + reverse_proxy /notifications/hub 192.168.1.3:3012 + + # Proxy everything else to Rocket + reverse_proxy 192.168.1.3:86 { + # Send the true remote IP to Rocket, so that vaultwarden can put this in the + # log, so that fail2ban can ban the correct IP. + header_up X-Real-IP {remote_host} + } +} + + +boxnet.nsupdate.info { + reverse_proxy 192.168.1.3:90 + import logging boxnet.nsupdate.info +}