Menno van Leeuwen
e14dd1d224
Define separate lists for EU and trusted countries in group vars. Update Caddyfile template to support EU, trusted, and combined allow lists. Switch Sathub domains to use combined country allow list.
355 lines
8.7 KiB
Django/Jinja
355 lines
8.7 KiB
Django/Jinja
# Global configuration for country blocking
|
|
{
|
|
servers {
|
|
protocols h1 h2 h3
|
|
}
|
|
}
|
|
|
|
# Country allow list snippet using MaxMind GeoLocation - reusable across all sites
|
|
{% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
|
|
(country_allow) {
|
|
@allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries {{ allowed_countries_codes | join(' ') }}
|
|
}
|
|
}
|
|
}
|
|
respond @not_allowed_countries "Access denied" 403
|
|
}
|
|
{% else %}
|
|
(country_allow) {
|
|
# Country allow list disabled
|
|
}
|
|
{% endif %}
|
|
|
|
# European country allow list - allows all European countries only
|
|
{% if eu_countries_codes | default([]) | length > 0 %}
|
|
(eu_country_allow) {
|
|
@eu_allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@eu_not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries {{ eu_countries_codes | join(' ') }}
|
|
}
|
|
}
|
|
}
|
|
respond @eu_not_allowed_countries "Access denied" 403
|
|
}
|
|
{% else %}
|
|
(eu_country_allow) {
|
|
# EU country allow list disabled
|
|
}
|
|
{% endif %}
|
|
|
|
# Trusted country allow list - allows US, Australia, New Zealand, and Japan
|
|
{% if trusted_countries_codes | default([]) | length > 0 %}
|
|
(trusted_country_allow) {
|
|
@trusted_allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@trusted_not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries {{ trusted_countries_codes | join(' ') }}
|
|
}
|
|
}
|
|
}
|
|
respond @trusted_not_allowed_countries "Access denied" 403
|
|
}
|
|
{% else %}
|
|
(trusted_country_allow) {
|
|
# Trusted country allow list disabled
|
|
}
|
|
{% endif %}
|
|
|
|
# Sathub country allow list - combines EU and trusted countries
|
|
{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %}
|
|
(sathub_country_allow) {
|
|
@sathub_allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@sathub_not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }}
|
|
}
|
|
}
|
|
}
|
|
respond @sathub_not_allowed_countries "Access denied" 403
|
|
}
|
|
{% else %}
|
|
(sathub_country_allow) {
|
|
# Sathub country allow list disabled
|
|
}
|
|
{% endif %}
|
|
|
|
{% if inventory_hostname == 'mennos-server' %}
|
|
git.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy gitea:3000
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
git.vleeuwen.me {
|
|
import country_allow
|
|
redir https://git.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
df.mvl.sh {
|
|
import country_allow
|
|
redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
fsm.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy factorio-server-manager:80
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
fsm.vleeuwen.me {
|
|
import country_allow
|
|
redir https://fsm.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
beszel.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy beszel:8090
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
beszel.vleeuwen.me {
|
|
import country_allow
|
|
redir https://beszel.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
sathub.de {
|
|
import sathub_country_allow
|
|
|
|
handle {
|
|
reverse_proxy sathub-frontend:4173
|
|
}
|
|
|
|
# Enable compression
|
|
encode gzip
|
|
|
|
# Security headers
|
|
header {
|
|
X-Frame-Options "SAMEORIGIN"
|
|
X-Content-Type-Options "nosniff"
|
|
X-XSS-Protection "1; mode=block"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
api.sathub.de {
|
|
import sathub_country_allow
|
|
reverse_proxy sathub-backend:4001
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
sathub.nl {
|
|
import sathub_country_allow
|
|
redir https://sathub.de{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
photos.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy immich:2283
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
photos.vleeuwen.me {
|
|
import country_allow
|
|
redir https://photos.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
home.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8123 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
home.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8123 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
|
|
unifi.mvl.sh {
|
|
reverse_proxy unifi-controller:8443 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
header_up Host {host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
hotspot.mvl.sh {
|
|
reverse_proxy unifi-controller:8843 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
header_up Host {host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
hotspot.mvl.sh:80 {
|
|
redir https://hotspot.mvl.sh{uri} permanent
|
|
}
|
|
|
|
bin.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy privatebin:8080
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
ip.mvl.sh ip.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy echoip:8080 {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
http://ip.mvl.sh http://ip.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy echoip:8080 {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
}
|
|
|
|
overseerr.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy overseerr:5055
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
overseerr.vleeuwen.me {
|
|
import country_allow
|
|
redir https://overseerr.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
plex.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:32400 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
plex.vleeuwen.me {
|
|
import country_allow
|
|
redir https://plex.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
tautulli.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8181 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
tautulli.vleeuwen.me {
|
|
import country_allow
|
|
redir https://tautulli.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
cloud.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy cloudreve:5212 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
cloud.vleeuwen.me {
|
|
import country_allow
|
|
redir https://cloud.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
collabora.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy collabora:9980 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
drive.mvl.sh drive.vleeuwen.me {
|
|
import country_allow
|
|
|
|
# CalDAV and CardDAV redirects
|
|
redir /.well-known/carddav /remote.php/dav/ 301
|
|
redir /.well-known/caldav /remote.php/dav/ 301
|
|
|
|
# Handle other .well-known requests
|
|
handle /.well-known/* {
|
|
reverse_proxy nextcloud:80 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
}
|
|
|
|
# Main reverse proxy configuration with proper headers
|
|
reverse_proxy nextcloud:80 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
# HSTS header for enhanced security (required by Nextcloud)
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
# Additional security headers recommended for Nextcloud
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
Referrer-Policy "no-referrer"
|
|
X-XSS-Protection "1; mode=block"
|
|
X-Permitted-Cross-Domain-Policies "none"
|
|
X-Robots-Tag "noindex, nofollow"
|
|
}
|
|
|
|
tls {{ caddy_email }}
|
|
}
|
|
{% endif %}
|