From e57e9ee67c9f62dd612bab5b52f445cf0935713e Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 02:02:46 +0200 Subject: [PATCH] chore: update country allow list and add European allow option --- .../tasks/servers/services/caddy/Caddyfile.j2 | 79 +++++++++++-------- 1 file changed, 48 insertions(+), 31 deletions(-) diff --git a/ansible/tasks/servers/services/caddy/Caddyfile.j2 b/ansible/tasks/servers/services/caddy/Caddyfile.j2 index 4eeed84..baaa866 100644 --- a/ansible/tasks/servers/services/caddy/Caddyfile.j2 +++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2 @@ -5,9 +5,9 @@ } } -# Country blocking snippet using MaxMind GeoLocation - reusable across all sites +# Country allow list snippet using MaxMind GeoLocation - reusable across all sites {% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %} -(country_block) { +(country_allow) { @allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @@ -23,56 +23,73 @@ respond @not_allowed_countries "Access denied" 403 } {% else %} -(country_block) { - # Country blocking disabled +(country_allow) { + # Country allow list disabled } {% endif %} +# European country allow list - allows all European countries +(eu_country_allow) { + @allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA + } + } + } + respond @not_allowed_countries "Access denied" 403 +} + {% if inventory_hostname == 'mennos-server' %} git.mvl.sh { - import country_block + import country_allow reverse_proxy gitea:3000 tls {{ caddy_email }} } git.vleeuwen.me { - import country_block + import country_allow redir https://git.mvl.sh{uri} tls {{ caddy_email }} } df.mvl.sh { - import country_block + import country_allow redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh tls {{ caddy_email }} } fsm.mvl.sh { - import country_block + import country_allow reverse_proxy factorio-server-manager:80 tls {{ caddy_email }} } fsm.vleeuwen.me { - import country_block + import country_allow redir https://fsm.mvl.sh{uri} tls {{ caddy_email }} } beszel.mvl.sh { - import country_block + import country_allow reverse_proxy beszel:8090 tls {{ caddy_email }} } beszel.vleeuwen.me { - import country_block + import country_allow redir https://beszel.mvl.sh{uri} tls {{ caddy_email }} } sathub.de { - import country_block + import eu_country_allow handle { reverse_proxy sathub-frontend:4173 @@ -93,31 +110,31 @@ sathub.de { } api.sathub.de { - import country_block + import eu_country_allow reverse_proxy sathub-backend:4001 tls {{ caddy_email }} } sathub.nl { - import country_block + import eu_country_allow redir https://sathub.de{uri} tls {{ caddy_email }} } photos.mvl.sh { - import country_block + import country_allow reverse_proxy immich:2283 tls {{ caddy_email }} } photos.vleeuwen.me { - import country_block + import country_allow redir https://photos.mvl.sh{uri} tls {{ caddy_email }} } home.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -126,7 +143,7 @@ home.mvl.sh { } home.vleeuwen.me { - import country_block + import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -160,13 +177,13 @@ hotspot.mvl.sh:80 { } bin.mvl.sh { - import country_block + import country_allow reverse_proxy privatebin:8080 tls {{ caddy_email }} } ip.mvl.sh ip.vleeuwen.me { - import country_block + import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } @@ -174,26 +191,26 @@ ip.mvl.sh ip.vleeuwen.me { } http://ip.mvl.sh http://ip.vleeuwen.me { - import country_block + import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } } overseerr.mvl.sh { - import country_block + import country_allow reverse_proxy overseerr:5055 tls {{ caddy_email }} } overseerr.vleeuwen.me { - import country_block + import country_allow redir https://overseerr.mvl.sh{uri} tls {{ caddy_email }} } plex.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:32400 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -202,13 +219,13 @@ plex.mvl.sh { } plex.vleeuwen.me { - import country_block + import country_allow redir https://plex.mvl.sh{uri} tls {{ caddy_email }} } tautulli.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:8181 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -217,13 +234,13 @@ tautulli.mvl.sh { } tautulli.vleeuwen.me { - import country_block + import country_allow redir https://tautulli.mvl.sh{uri} tls {{ caddy_email }} } cloud.mvl.sh { - import country_block + import country_allow reverse_proxy cloudreve:5212 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} @@ -232,13 +249,13 @@ cloud.mvl.sh { } cloud.vleeuwen.me { - import country_block + import country_allow redir https://cloud.mvl.sh{uri} tls {{ caddy_email }} } collabora.mvl.sh { - import country_block + import country_allow reverse_proxy collabora:9980 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} @@ -247,7 +264,7 @@ collabora.mvl.sh { } drive.mvl.sh drive.vleeuwen.me { - import country_block + import country_allow # CalDAV and CardDAV redirects redir /.well-known/carddav /remote.php/dav/ 301