303 lines
6.9 KiB
Django/Jinja
303 lines
6.9 KiB
Django/Jinja
# Global configuration for country blocking
|
|
{
|
|
servers {
|
|
protocols h1 h2 h3
|
|
}
|
|
}
|
|
|
|
# Country allow list snippet using MaxMind GeoLocation - reusable across all sites
|
|
{% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
|
|
(country_allow) {
|
|
@allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries {{ allowed_countries_codes | join(' ') }}
|
|
}
|
|
}
|
|
}
|
|
respond @not_allowed_countries "Access denied" 403
|
|
}
|
|
{% else %}
|
|
(country_allow) {
|
|
# Country allow list disabled
|
|
}
|
|
{% endif %}
|
|
|
|
# European country allow list - allows all European countries
|
|
(eu_country_allow) {
|
|
@allowed_local {
|
|
remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
}
|
|
@not_allowed_countries {
|
|
not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
|
|
not {
|
|
maxmind_geolocation {
|
|
db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
|
|
allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA
|
|
}
|
|
}
|
|
}
|
|
respond @not_allowed_countries "Access denied" 403
|
|
}
|
|
|
|
{% if inventory_hostname == 'mennos-server' %}
|
|
git.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy gitea:3000
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
git.vleeuwen.me {
|
|
import country_allow
|
|
redir https://git.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
df.mvl.sh {
|
|
import country_allow
|
|
redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
fsm.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy factorio-server-manager:80
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
fsm.vleeuwen.me {
|
|
import country_allow
|
|
redir https://fsm.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
beszel.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy beszel:8090
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
beszel.vleeuwen.me {
|
|
import country_allow
|
|
redir https://beszel.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
sathub.de {
|
|
import eu_country_allow
|
|
|
|
handle {
|
|
reverse_proxy sathub-frontend:4173
|
|
}
|
|
|
|
# Enable compression
|
|
encode gzip
|
|
|
|
# Security headers
|
|
header {
|
|
X-Frame-Options "SAMEORIGIN"
|
|
X-Content-Type-Options "nosniff"
|
|
X-XSS-Protection "1; mode=block"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
api.sathub.de {
|
|
import eu_country_allow
|
|
reverse_proxy sathub-backend:4001
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
sathub.nl {
|
|
import eu_country_allow
|
|
redir https://sathub.de{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
photos.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy immich:2283
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
photos.vleeuwen.me {
|
|
import country_allow
|
|
redir https://photos.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
home.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8123 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
home.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8123 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
|
|
unifi.mvl.sh {
|
|
reverse_proxy unifi-controller:8443 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
header_up Host {host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
hotspot.mvl.sh {
|
|
reverse_proxy unifi-controller:8843 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
header_up Host {host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
hotspot.mvl.sh:80 {
|
|
redir https://hotspot.mvl.sh{uri} permanent
|
|
}
|
|
|
|
bin.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy privatebin:8080
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
ip.mvl.sh ip.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy echoip:8080 {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
http://ip.mvl.sh http://ip.vleeuwen.me {
|
|
import country_allow
|
|
reverse_proxy echoip:8080 {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
}
|
|
|
|
overseerr.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy overseerr:5055
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
overseerr.vleeuwen.me {
|
|
import country_allow
|
|
redir https://overseerr.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
plex.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:32400 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
plex.vleeuwen.me {
|
|
import country_allow
|
|
redir https://plex.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
tautulli.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy host.docker.internal:8181 {
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
tautulli.vleeuwen.me {
|
|
import country_allow
|
|
redir https://tautulli.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
cloud.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy cloudreve:5212 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
cloud.vleeuwen.me {
|
|
import country_allow
|
|
redir https://cloud.mvl.sh{uri}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
collabora.mvl.sh {
|
|
import country_allow
|
|
reverse_proxy collabora:9980 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
tls {{ caddy_email }}
|
|
}
|
|
|
|
drive.mvl.sh drive.vleeuwen.me {
|
|
import country_allow
|
|
|
|
# CalDAV and CardDAV redirects
|
|
redir /.well-known/carddav /remote.php/dav/ 301
|
|
redir /.well-known/caldav /remote.php/dav/ 301
|
|
|
|
# Handle other .well-known requests
|
|
handle /.well-known/* {
|
|
reverse_proxy nextcloud:80 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
}
|
|
|
|
# Main reverse proxy configuration with proper headers
|
|
reverse_proxy nextcloud:80 {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
# HSTS header for enhanced security (required by Nextcloud)
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
# Additional security headers recommended for Nextcloud
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
Referrer-Policy "no-referrer"
|
|
X-XSS-Protection "1; mode=block"
|
|
X-Permitted-Cross-Domain-Policies "none"
|
|
X-Robots-Tag "noindex, nofollow"
|
|
}
|
|
|
|
tls {{ caddy_email }}
|
|
}
|
|
{% endif %}
|