diff --git a/Caddyfile b/Caddyfile new file mode 100755 index 0000000..ae79e1a --- /dev/null +++ b/Caddyfile @@ -0,0 +1,18 @@ +https://finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + root * /var/webroot + file_server + encode zstd gzip + route /users/* { + uri strip_prefix /users/ + reverse_proxy web_userspace:80 + } +} + +# Import all web hosts + +import /webhosts/*/Caddyfile + +import /sites.d/*/Caddyfile + + diff --git a/docker-compose.yml b/docker-compose.yml index 68270d3..e23b119 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,26 +1,33 @@ version: "3" services: web: - image: registry.gitlab.com/jcgruenhage/docker-caddy:latest + image: docker.io/library/caddy:2-alpine container_name: web volumes: - - /opt/docker/Caddy:/caddy:z - - /opt/docker/Caddy/Caddyfile:/etc/caddy/Caddyfile:z + - /vault/services/certMgmt/certData/certs:/tls_certs:z - /vault/services/web/webhosts:/webhosts:z - /vault/services/web/sites.d:/sites.d:z - - /vault/services/certMgmt/certData/certs:/tls_certs:z + - /vault/services/web/caddy_data:/data:z + - /vault/services/web/caddy_config:/config:z + - /vault/services/web/homepage:/var/webroot:z + - /vault/services/web/Caddyfile:/etc/caddy/Caddyfile:z - /vault/services/matrix/static-files:/matrix_static:z - - /vault/users/jreichmann/public:/public/transcaffeine:z - - /opt/docker/Caddy/webroot:/var/webroot:z - environment: - - GID=1001 - - UID=1001 ports: + - "10.42.0.1:443:443" - "192.168.0.53:443:443" networks: - frontend - matrix - + web_userspace: + image: docker.io/library/caddy:2-alpine + container_name: web_userspace + volumes: + - /vault/services/cloud/nextcloud/data:/webroot:ro + - /vault/services/web/userspace/data:/data:z + - /vault/services/web/userspace/config:/config:z + - /vault/services/web/userspace/Caddyfile:/etc/caddy/Caddyfile:z + networks: + - frontend networks: frontend: external: diff --git a/webhosts/cloud/Caddyfile b/webhosts/cloud/Caddyfile index 7567204..0830877 100755 --- a/webhosts/cloud/Caddyfile +++ b/webhosts/cloud/Caddyfile @@ -1,29 +1,23 @@ https://cloud.finallycoffee.eu { - gzip + encode gzip tls /tls_certs/cloud.finallycoffee.eu/fullchain.pem /tls_certs/cloud.finallycoffee.eu/privkey.pem - header / { + header { Referrer-Policy no-referrer Strict-Transport-Security "max-age=15552000;" } - redir 301 { - /.well-known/carddav /remote.php/dav - /.well-known/caldav /remote.php/dav - } - proxy / nextcloud:80 { - transparent - websocket + redir /.well-known/carddav /remote.php/dav permanent + redir /.well-known/caldav /remote.php/dav permanent + reverse_proxy nextcloud:80 { + header_up X-Forwarded-Proto https } } https://office.cloud.finallycoffee.eu { - gzip + encode gzip tls /tls_certs/cloud.finallycoffee.eu/fullchain.pem /tls_certs/cloud.finallycoffee.eu/privkey.pem - header / { + header { Access-Control-Allow-Origin * } - proxy / nextcloud_onlyoffice:80 { - transparent - websocket - } + reverse_proxy nextcloud_onlyoffice:80 } diff --git a/webhosts/financial_athena7/Caddyfile b/webhosts/financial_athena7/Caddyfile index b1d19f1..106ca9f 100644 --- a/webhosts/financial_athena7/Caddyfile +++ b/webhosts/financial_athena7/Caddyfile @@ -1,7 +1,5 @@ https://financial.athena7.eu { tls /tls_certs/financial.athena7.eu/fullchain.pem /tls_certs/financial.athena7.eu/privkey.pem - proxy / firefly_iii:80 { - transparent - websocket - } + encode zstd gzip + reverse_proxy firefly_iii:80 } diff --git a/webhosts/infra/Caddyfile b/webhosts/infra/Caddyfile index 9f44a5c..5dcffff 100644 --- a/webhosts/infra/Caddyfile +++ b/webhosts/infra/Caddyfile @@ -1,9 +1,9 @@ https://admin.finallycoffee.eu { tls /tls_certs/admin.finallycoffee.eu/fullchain.pem /tls_certs/admin.finallycoffee.eu/privkey.pem - proxy / https://172.21.0.1:9090 { - transparent - websocket - insecure_skip_verify + reverse_proxy / https://172.21.0.1:9090 { + transport http { + tls_insecure_skip_verify + } } } @@ -12,26 +12,20 @@ https://gateway.finallycoffee.eu { } -https://dsl.gateway.finallycoffee.eu { - tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem - basicauth jdreichmann $pass { - realm "Intranet karlsruhe.flauschekatze.space" - / - } - proxy / http://192.168.0.2:80 { - transparent - websocket - } -} +#https://dsl.gateway.finallycoffee.eu { +# tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem +# basicauth *jdreichmann $pass { +# realm "Intranet karlsruhe.flauschekatze.space" +# / +# } +# reverse_proxy / http://192.168.0.2:80 +#} -https://docsis.gateway.finallycoffee.eu { - tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem - basicauth jdreichmann $pass { - realm "Intranet karlsruhe.flauschekatze.space" - / - } - proxy / http://192.168.0.1:80 { - transparent - websocket - } -} +#https://docsis.gateway.finallycoffee.eu { +# tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem +# basicauth jdreichmann $pass { +# realm "Intranet karlsruhe.flauschekatze.space" +# / +# } +# proxy / http://192.168.0.1:80 +#} diff --git a/webhosts/matrix/Caddyfile b/webhosts/matrix/Caddyfile index 148e565..b117173 100755 --- a/webhosts/matrix/Caddyfile +++ b/webhosts/matrix/Caddyfile @@ -1,68 +1,59 @@ https://matrix.finallycoffee.eu { tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - header / { - Access-Control-Allow-Origin * + encode zstd gzip + header { Strict-Transport-Security "max-age=31536000;" X-Frame-Options "DENY" X-XSS-Protection "1; mode=block" } - proxy /_matrix/identity matrix-ma1sd:8090 { - header_downstream Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" - header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" - transparent + reverse_proxy /_matrix/identity/* matrix-ma1sd:8090 { + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" } - proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 { - header_downstream Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" - header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" - transparent + reverse_proxy /_matrix/client/r0/user_directory/search/* matrix-ma1sd:8090 { + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" } - proxy /_matrix/federation matrix-synapse:8048 { - transparent + reverse_proxy /_matrix/federation/* matrix-synapse:8048 + reverse_proxy /_matrix/key/* matrix-synapse:8048 + reverse_proxy /_matrix/* matrix-synapse:8008 { + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" } - proxy /_matrix/key matrix-synapse:8048 { - transparent - } - proxy /_matrix matrix-synapse:8008 { - header_downstream Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" - header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" - transparent - } - proxy /_synapse matrix-synapse:8008 { - transparent - } - proxy /metrics http://matrix-synapse:9100/_synapse/metrics - proxy /mautrix-telegram http://matrix-mautrix-telegram:8080 - proxy / https://finallycoffee.eu/.well-known/matrix { - except /_matrix + reverse_proxy /_synapse/* matrix-synapse:8008 + route /metrics/* { + uri replace /metrics/ /_synapse/metrics/ + reverse_proxy http://matrix-synapse:9100 } + reverse_proxy /mautrix-telegram/* http://matrix-mautrix-telegram:8080 } https://dimension.matrix.finallycoffee.eu { tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - header / { + header { Access-Control-Allow-Origin * } - proxy / http://matrix-dimension:8184 { - transparent - header_upstream X-Forwarded-For {remote} - header_upstream Host {host} - websocket + encode zstd gzip + reverse_proxy http://matrix-dimension:8184 { + header_up X-Forwarded-For {remote} + header_up Host {host} } } https://chat.finallycoffee.eu { tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem - proxy / http://matrix-client-element:8080 { - transparent - } + encode zstd gzip + reverse_proxy http://matrix-client-element:8080 } -https://finallycoffee.eu/.well-known/matrix/ { +https://finallycoffee.eu/.well-known/matrix/* { tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - root /matrix_static - index index index.json - mime . application/json - header / { + route { + uri strip_prefix /.well-known/matrix + root * /matrix_static + file_server + } + header { Content-Type "application/json" X-Content-Type-Options "nosniff" Access-Control-Allow-Origin * diff --git a/webhosts/pass/Caddyfile b/webhosts/pass/Caddyfile index dac5e9f..f9288b9 100644 --- a/webhosts/pass/Caddyfile +++ b/webhosts/pass/Caddyfile @@ -1,7 +1,5 @@ https://pass.finallycoffee.eu { tls /tls_certs/pass.finallycoffee.eu/fullchain.pem /tls_certs/pass.finallycoffee.eu/privkey.pem - proxy / bitwardenrs:80 { - transparent - } + reverse_proxy bitwardenrs:80 }