# Global configuration for country blocking { servers { protocols h1 h2 h3 } } # Country allow list snippet using MaxMind GeoLocation - reusable across all sites {% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %} (country_allow) { @allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" allow_countries {{ allowed_countries_codes | join(' ') }} } } } respond @not_allowed_countries "Access denied" 403 } {% else %} (country_allow) { # Country allow list disabled } {% endif %} # European country allow list - allows all European countries only {% if eu_countries_codes | default([]) | length > 0 %} (eu_country_allow) { @eu_allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @eu_not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" allow_countries {{ eu_countries_codes | join(' ') }} } } } respond @eu_not_allowed_countries "Access denied" 403 } {% else %} (eu_country_allow) { # EU country allow list disabled } {% endif %} # Trusted country allow list - allows US, Australia, New Zealand, and Japan {% if trusted_countries_codes | default([]) | length > 0 %} (trusted_country_allow) { @trusted_allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @trusted_not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" allow_countries {{ trusted_countries_codes | join(' ') }} } } } respond @trusted_not_allowed_countries "Access denied" 403 } {% else %} (trusted_country_allow) { # Trusted country allow list disabled } {% endif %} # Sathub country allow list - combines EU and trusted countries {% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %} (sathub_country_allow) { @sathub_allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @sathub_not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }} } } } respond @sathub_not_allowed_countries "Access denied" 403 } {% else %} (sathub_country_allow) { # Sathub country allow list disabled } {% endif %} {% if inventory_hostname == 'mennos-server' %} git.mvl.sh { import country_allow reverse_proxy gitea:3000 tls {{ caddy_email }} } git.vleeuwen.me { import country_allow redir https://git.mvl.sh{uri} tls {{ caddy_email }} } df.mvl.sh { import country_allow redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh tls {{ caddy_email }} } fsm.mvl.sh { import country_allow reverse_proxy factorio-server-manager:80 tls {{ caddy_email }} } fsm.vleeuwen.me { import country_allow redir https://fsm.mvl.sh{uri} tls {{ caddy_email }} } beszel.mvl.sh { import country_allow reverse_proxy beszel:8090 tls {{ caddy_email }} } beszel.vleeuwen.me { import country_allow redir https://beszel.mvl.sh{uri} tls {{ caddy_email }} } sathub.de { import sathub_country_allow handle { reverse_proxy sathub-frontend:4173 } # Enable compression encode gzip # Security headers header { X-Frame-Options "SAMEORIGIN" X-Content-Type-Options "nosniff" X-XSS-Protection "1; mode=block" Referrer-Policy "strict-origin-when-cross-origin" Strict-Transport-Security "max-age=31536000; includeSubDomains" } tls {{ caddy_email }} } api.sathub.de { import sathub_country_allow reverse_proxy sathub-backend:4001 tls {{ caddy_email }} } sathub.nl { import sathub_country_allow redir https://sathub.de{uri} tls {{ caddy_email }} } photos.mvl.sh { import country_allow reverse_proxy immich:2283 tls {{ caddy_email }} } photos.vleeuwen.me { import country_allow redir https://photos.mvl.sh{uri} tls {{ caddy_email }} } home.mvl.sh { import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } home.vleeuwen.me { import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } unifi.mvl.sh { reverse_proxy unifi-controller:8443 { transport http { tls_insecure_skip_verify } header_up Host {host} } tls {{ caddy_email }} } hotspot.mvl.sh { reverse_proxy unifi-controller:8843 { transport http { tls_insecure_skip_verify } header_up Host {host} } tls {{ caddy_email }} } hotspot.mvl.sh:80 { redir https://hotspot.mvl.sh{uri} permanent } bin.mvl.sh { import country_allow reverse_proxy privatebin:8080 tls {{ caddy_email }} } ip.mvl.sh ip.vleeuwen.me { import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } http://ip.mvl.sh http://ip.vleeuwen.me { import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } } overseerr.mvl.sh { import country_allow reverse_proxy overseerr:5055 tls {{ caddy_email }} } overseerr.vleeuwen.me { import country_allow redir https://overseerr.mvl.sh{uri} tls {{ caddy_email }} } plex.mvl.sh { import country_allow reverse_proxy host.docker.internal:32400 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } plex.vleeuwen.me { import country_allow redir https://plex.mvl.sh{uri} tls {{ caddy_email }} } tautulli.mvl.sh { import country_allow reverse_proxy host.docker.internal:8181 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } tautulli.vleeuwen.me { import country_allow redir https://tautulli.mvl.sh{uri} tls {{ caddy_email }} } cloud.mvl.sh { import country_allow reverse_proxy cloudreve:5212 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } cloud.vleeuwen.me { import country_allow redir https://cloud.mvl.sh{uri} tls {{ caddy_email }} } collabora.mvl.sh { import country_allow reverse_proxy collabora:9980 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} } tls {{ caddy_email }} } drive.mvl.sh drive.vleeuwen.me { import country_allow # CalDAV and CardDAV redirects redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 # Handle other .well-known requests handle /.well-known/* { reverse_proxy nextcloud:80 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} } } # Main reverse proxy configuration with proper headers reverse_proxy nextcloud:80 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} } # Security headers header { # HSTS header for enhanced security (required by Nextcloud) Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Additional security headers recommended for Nextcloud X-Content-Type-Options "nosniff" X-Frame-Options "SAMEORIGIN" Referrer-Policy "no-referrer" X-XSS-Protection "1; mode=block" X-Permitted-Cross-Domain-Policies "none" X-Robots-Tag "noindex, nofollow" } tls {{ caddy_email }} } {% endif %}