tocluster

2026-04-13 16:30:12 +02:00
parent 9cf7a7d12e
commit 6ce55e28f1
3 changed files with 152 additions and 17 deletions
--- a/79
+++ b/79
@@ -1,7 +1,17 @@
 {
 	email {$ACME_EMAIL}
 }
-git.{$DOMENESHOP_DNS} {
+### FUNKSJONER ###
+(remote-ip) {
+	@internal remote_ip 10.10.10.0/24 127.0.0.1/8
+	@external remote_ip 0.0.0.0/0
+}
+(common-auth) {
+	basicauth {
+		tvh $2a$14$9nNDlR6oYiSIX7ENnel.E.pezV8LQpHS3hhzhglXwijMFwgEYMAq2
+	}
+}
+(rate-limit) {
 	rate_limit {
 		zone git_zone {
 			key {remote_host}
@@ -9,27 +19,62 @@ git.{$DOMENESHOP_DNS} {
 			window 10s
 		}
 	}
-	reverse_proxy gitea:3000
+}
+(read-only) {
+	@readonly {
+		method POST PUT DELETE PATCH
+	}
+	respond @readonly 403
+}
+### TJENESTER ###
+git.{$DOMENESHOP_DNS} {
+	import remote-ip
+	handle @external {
+		import rate-limit
+		reverse_proxy gitea:3000
+	}
 }
 lms.home.{$DOMENESHOP_DNS}  {
-    tls internal
-    @internal remote_ip 10.10.10.0/24 127.0.0.1/8
-    handle @internal {
-        basicauth {
-            tvh $2a$14$9nNDlR6oYiSIX7ENnel.E.pezV8LQpHS3hhzhglXwijMFwgEYMAq2
-        }
-        reverse_proxy lms:9000        
-    }
-    respond "Forbidden" 403
+	tls internal
+	import remote-ip
+	handle @internal {
+		reverse_proxy lms:9000        
+	}
+	respond "Forbidden" 403
 }

 pihole.home.{$DOMENESHOP_DNS} {
-    tls internal
-    redir / /admin
-    reverse_proxy pihole:80
-    respond "Forbidden" 403
+	tls internal
+	import remote-ip
+	handle @internal {
+		redir / /admin
+		reverse_proxy pihole:80
+	}
 }
 nextcloud.{$DOMENESHOP_DNS}  {
-        encode gzip zstd
-        reverse_proxy nextcloud-app:80
+	import remote-ip
+	handle @external {
+		import rate-limit
+		encode gzip zstd
+		reverse_proxy nextcloud-app:80
+	}
 }
+portainer.{$DOMENESHOP_DNS} {
+	import remote-ip
+	handle @external {
+		import common-auth
+		import rate-limit
+		import read-only
+		reverse_proxy portainer:9000
+	}
+	respond "Forbidden" 403
+}
+portainer.home.{$DOMENESHOP_DNS} {
+	import remote-ip
+	handle @internal {
+		reverse_proxy portainer:9000
+	}
+        respond "Forbidden" 403
+}
+
+
--- a/Caddyfile.save
+++ b/Caddyfile.save
@@ -0,0 +1,87 @@
+{
+	email {$ACME_EMAIL}
+}
+(remote-ip) {
+	@internal remote_ip 10.10.10.0/24 127.0.0.1/8
+	@external remote_ip 0.0.0.0/0
+}
+(common-auth) {
+	basicauth {
+		tvh $2a$14$9nNDlR6oYiSIX7ENnel.E.pezV8LQpHS3hhzhglXwijMFwgEYMAq2
+	}
+}
+(rate-limit) {
+	rate_limit {
+		zone git_zone {
+			key {remote_host}
+			events 30
+			window 10s
+		}
+	}
+}
+(read-only) {
+	@readonly {
+		method POST PUT DELETE PATCH
+	}
+	respond @readonly 403
+	
+	# whitelist login/logout
+	@auth_ok {
+		path /api/auth/*
+	}
+	respond @readonly 403 {
+		not path /api/auth/*
+	}
+}
+git.{$DOMENESHOP_DNS} {
+	import remote-ip
+	handle @external {
+		import rate-limit
+		reverse_proxy gitea:3000
+	}
+}
+lms.home.{$DOMENESHOP_DNS}  {
+	tls internal
+	import remote-ip
+	handle @internal {
+		import common-auth
+		reverse_proxy lms:9000        
+	}
+	respond "Forbidden" 403
+}
+
+pihole.home.{$DOMENESHOP_DNS} {
+	tls internal
+	import remote-ip
+	import common-auth 
+	handle @internal {
+		redir / /admin
+		reverse_proxy pihole:80
+	}
+}
+nextcloud.{$DOMENESHOP_DNS}  {
+	import remote-ip
+	handle @external {
+		encode gzip zstd
+		reverse_proxy nextcloud-app:80
+	}
+}
+portainer.{$DOMENESHOP_DNS} {
+	import rate-limit
+	import remote-ip
+	handle @external {
+		import common-auth
+		import read-only
+		reverse_proxy portainer:9000
+	}
+	respond "Forbidden" 403
+}
+portainer.home.{$DOMENESHOP_DNS} {
+	import remote-ip
+	handle @internal {
+		reverse_proxy portainer:9000
+	}
+        respond "Forbidden" 403
+}
+
+
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -15,12 +15,15 @@ services:
    networks:
      - proxy_net
      - edge_net
+      - proxy_swarm

 networks:
  proxy_net:
    external: true
  edge_net:
    external: true
+  proxy_swarm:
+    external: true

 volumes:
  caddy_data: