cmonroe/proxmox-caddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

redis config

Browse Source
This commit is contained in:
root
2026-01-02 15:49:19 -08:00
parent 44a02c0ac9
commit 3335cae62b
3 changed files with 113 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
Caddyfile
View File

@@ -1,22 +1,22 @@
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
{
# 1. GLOBAL CONFIG
servers {
trusted_proxies static private_ranges
client_ip_headers CF-Connecting-IP X-Forwarded-For X-Real-IP
}
#acme_ca https://acme.zerossl.com/v2/DV90
email charles.a.monroe@gmail.com
#acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
order coraza_waf first
storage redis {
address 192.168.0.120:6379
password {env.REDIS_PASSWORD}
db 2
key_prefix caddy
tls_enabled false
}
}
# --- SNIPPETS ---
(internal_tls) {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
@@ -39,16 +39,34 @@
redir @admin /
}
# Standard WAF (For most apps)
(waf) {
coraza_waf {
include /etc/caddy/coraza/coraza.conf
}
}
# Nextcloud WAF (Includes your specific exclusions)
(nextcloud_waf) {
coraza_waf {
include /etc/caddy/coraza/coraza.conf
include /etc/caddy/coraza/nextcloud-exclusions.conf
include /etc/caddy/coraza/nextcloud-waf.conf
}
}
# --- SERVICES ---
auth.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.107:9091 {
trusted_proxies 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 2400:cb00::/32 2405:8100::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32 2a06:98c0::/29 2c0f:f248::/32
}
}
# ... (Your Internal .lan services remain unchanged) ...
gitea.home.lan {
# Tells Caddy to generate a local self-signed cert for this .lan domain
tls internal
# Point this to your Gitea Container IP and Port
reverse_proxy 192.168.0.109:3000
}
@@ -94,6 +112,10 @@ ldap.home.lan {
cloud.home.lan {
tls internal
# ENABLE WAF HERE (If you want it on internal Nextcloud)
# import nextcloud_waf
request_body {
max_size 10G
}
@@ -110,11 +132,6 @@ cloud.home.lan {
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
}
#log {
# output file /data/caddy_access.log
# format json
#}
route {
handle_path /index.php/apps/memories/static/go-vod/* {
reverse_proxy 192.168.0.115:8080
@@ -130,6 +147,7 @@ cloud.home.lan {
}
}
# This is the domain providing the certs for your LDAP container!
ldap.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.126:17170
@@ -137,21 +155,29 @@ ldap.poppyglen.cc {
immich.poppyglen.cc {
route {
#import authelia
#coraza_waf /etc/caddy/waf/coraza.conf
# 1. Authelia Check
# import authelia
# 2. WAF Check (Must be before proxy)
import waf
# 3. Proxy
reverse_proxy 192.168.0.105:2283 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
}
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
}
}
}
jellyfin.poppyglen.cc {
route {
import authelia
#coraza_waf /etc/caddy/waf/coraza.conf
# WAF Enabled
import waf
reverse_proxy 192.168.0.106:8096
}
}
@@ -169,9 +195,11 @@ vault.poppyglen.cc {
}
import admin_redir
# Optionally enable WAF for vaultwarden too:
# import waf
reverse_proxy 192.168.0.104:8000 {
# Pass the real client IP to Vaultwarden (crucial for fail2ban/security logs)
header_up X-Real-IP {remote_host}
}
}
@@ -179,18 +207,3 @@ vault.poppyglen.cc {
mail.poppyglen.cc {
respond "Mail Server SSL Endpoint"
}
#:80 {
# Set this path to your site's directory.
# root * /usr/share/caddy
# Enable the static file server.
# file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
#}
# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

77
setup_caddy.sh
View File

@@ -1,7 +1,10 @@
#!/bin/bash
# --- CONFIGURATION ---
SECRETS_FILE="/mnt/secrets/caddy.env"
SECRETS_FILES=(
"/mnt/secrets/caddy.env"
"/mnt/secrets/redis.env"
)
CADDY_BIN="/usr/bin/caddy"
SYSTEMD_OVERRIDE_DIR="/etc/systemd/system/caddy.service.d"
GO_VERSION="1.25.5"
@@ -99,37 +102,69 @@ else
chmod +x "$CADDY_BIN"
fi
# --- 6. CONFIGURE SYSTEMD SECRETS (ROBUST METHOD) ---
echo "Configuring Systemd..."
# --- 6. CONFIGURE SYSTEMD SECRETS ---
echo "Configuring Systemd Secrets..."
mkdir -p "$SYSTEMD_OVERRIDE_DIR"
echo "[Service]" > "$SYSTEMD_OVERRIDE_DIR/override.conf"
for SECRETS_FILE in "${SECRETS_FILES[@]}"; do
if [ ! -f "$SECRETS_FILE" ]; then
echo "⚠️ WARNING: Secrets file not found: $SECRETS_FILE"
continue
fi
if [ ! -f "$SECRETS_FILE" ]; then
echo "WARNING: Secrets file not found at $SECRETS_FILE."
else
echo "Reading secrets from $SECRETS_FILE..."
mkdir -p "$SYSTEMD_OVERRIDE_DIR"
# Start the override file
echo "[Service]" > "$SYSTEMD_OVERRIDE_DIR/override.conf"
# Read the file line-by-line
while IFS= read -r line || [ -n "$line" ]; do
# 1. Skip comments (lines starting with #)
# Skip comments/empty lines
[[ "$line" =~ ^#.*$ ]] && continue
# 2. Skip empty lines
[[ -z "${line// }" ]] && continue
# 3. Clean 'export ' keyword if present (Systemd hates 'export')
# Clean 'export' and whitespace
clean_line="${line//export /}"
# 4. Remove leading/trailing whitespace
clean_line=$(echo "$clean_line" | xargs)
# 5. Inject into the config
# We wrap in quotes to handle special characters safely
# Inject
echo "Environment=\"$clean_line\"" >> "$SYSTEMD_OVERRIDE_DIR/override.conf"
echo " + Injected: ${clean_line%%=*}" # Log variable name (security: hide value)
echo " + Injected: ${clean_line%%=*}"
done < "$SECRETS_FILE"
done
# --- 6.5 SETUP WAF (CORAZA & OWASP CRS) ---
echo "Setting up WAF Rules (OWASP CRS)..."
WAF_DEST="/etc/caddy/coraza"
mkdir -p "$WAF_DEST"
# 1. Download OWASP Core Rule Set (v4.0.0)
# We only download if the rules directory is missing
if [ ! -d "$WAF_DEST/rules" ]; then
echo "Downloading OWASP CRS v4..."
curl -SL https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz -o /tmp/crs.tar.gz
tar -xzf /tmp/crs.tar.gz -C /tmp
# Move rules to destination
mv /tmp/coreruleset-4.0.0/rules "$WAF_DEST/"
# We rename the example setup to the standard name
mv /tmp/coreruleset-4.0.0/crs-setup.conf.example "$WAF_DEST/crs-setup.conf"
rm -rf /tmp/crs.tar.gz /tmp/coreruleset-4.0.0
else
echo "✅ OWASP Rules already present."
fi
# 2. Deploy YOUR Custom WAF Configs
# This copies your 'waf' folder contents into /etc/caddy/coraza/
if [ -d "./waf" ]; then
echo "Copying custom WAF configurations..."
cp -r ./waf/* "$WAF_DEST/"
# Fix permissions
chown -R caddy:caddy "$WAF_DEST"
# Ensure logs directory exists
mkdir -p /var/log/caddy
chown -R caddy:caddy /var/log/caddy
else
echo "WARNING: ./waf folder not found in repo. Skipping custom configs."
fi
if [ -f "./Caddyfile" ]; then

4
waf/coraza.conf
View File

@@ -1,7 +1,7 @@
# Main Coraza WAF Configuration (Strict)
# 1. Load the OWASP setup file
Include /etc/caddy/waf/owasp-crs/crs-setup.conf
Include /etc/caddy/coraza/crs-setup.conf
# 2. Load all the OWASP rule files
Include /etc/caddy/waf/owasp-crs/rules/*.conf
Include /etc/caddy/coraza/rules/*.conf