diff --git a/reverseproxy2/authelia/configuration.yml b/reverseproxy2/authelia/configuration.yml index e69de29..02348c5 100644 --- a/reverseproxy2/authelia/configuration.yml +++ b/reverseproxy2/authelia/configuration.yml @@ -0,0 +1,113 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +theme: dark + +server: + address: 'tcp://:9091' + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +log: + level: 'info' + +totp: + issuer: 'authelia.com' + +identity_validation: + reset_password: + jwt_secret: '2b8a78f3ac1784ef6aab3899c663e1010c60d3a9de694550879da349fe222923' + +authentication_backend: + file: + path: '/config/users_database.yml' + +access_control: + default_policy: deny + networks: + - name: internal + networks: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + rules: + ## bypass all domains and subdomains from local ips + - domain: + - aknlw.com + - wettsten.com + - "*.wettsten.com" + networks: + - 'internal' + policy: bypass + # bypass api for subdomains + - domain: + - "*.wettsten.com" + resources: + - "^/api([/?].*)?$" + - "^/add([/?].*)?$" + - "^/public([/?].*)?$" + policy: bypass + # bypass specific subdomains + - domain: + - aknlw.com + - bitwarden.wettsten.com + - gitea.wettsten.com + - nextcloud.wettsten.com + policy: bypass + # bypass filebrowser shares + - domain: + - "filebrowser.wettsten.com" + resources: + - "^/api([/?].*)?$" + - "^/share([/?].*)?$" + - "^/static([/?].*)?$" + policy: bypass + # two_factor subdomains + - domain: + - wettsten.com + - "*.wettsten.com" + policy: two_factor + +session: + secret: 'ffc343d98b87910edcddb1f0dac4b492b62e29b5eafa92f1c213f37c4669f243' + + cookies: + - name: 'authelia_session' + domain: 'wettsten.com' + authelia_url: 'https://auth.wettsten.com' + default_redirection_url: 'https://wettsten.com' + expiration: '1 hour' + inactivity: '5 minutes' + + redis: + host: 'redis' + port: 6379 + password: 'bc4eb8df73776ba7716aeb60c0023ef6136b80680bb8ea1cf6c51a326dea2c43' + +regulation: + max_retries: 3 + find_time: '2 minutes' + ban_time: '5 minutes' + +storage: + encryption_key: 'cbd7570c1795cba61f05baf419b7cee23fa144d512bda2ea57ba300afa6b33bf' + local: + path: '/config/db.sqlite3' + +notifier: + smtp: + username: 'akanealw@gmail.com' + password: 'qlvmffuzpscltdgz' + address: 'smtp://smtp.gmail.com:587' + sender: 'akanealw@gmail.com' + +ntp: + address: 'udp://time.windows.com:123' + version: 3 + max_desync: '3s' + disable_startup_check: false + disable_failure: false diff --git a/reverseproxy2/authelia/users_database.yml b/reverseproxy2/authelia/users_database.yml index e69de29..2ae4515 100644 --- a/reverseproxy2/authelia/users_database.yml +++ b/reverseproxy2/authelia/users_database.yml @@ -0,0 +1,14 @@ +users: + wettsten: + displayname: "wettsten" + password: "$argon2id$v=19$m=65536,t=3,p=4$pdeSOsqnVZB7I03tvC5JvA$gfiVxDvz1NVQw2yqGwgcz/fOumms2+asiFi8QVk2D38" + email: scott.wettstein@gmail.com + groups: + - admins + + akanealw: + displayname: "akanealw" + password: "$argon2id$v=19$m=65536,t=1,p=8$ZWJ2UGVPUDE2SnU0YXNvNg$Q3LQfN90kPI5/3Yr06WmTUjFbvIBBZPJP44YLhysT0M" + email: akanealw@gmail.com + groups: + - admins diff --git a/reverseproxy2/caddy/Caddyfile b/reverseproxy2/caddy/Caddyfile index e69de29..4c90eac 100644 --- a/reverseproxy2/caddy/Caddyfile +++ b/reverseproxy2/caddy/Caddyfile @@ -0,0 +1,232 @@ +# -------------------------------------------------- +# global options +# -------------------------------------------------- + +{ + acme_ca https://acme-staging-v02.api.letsencrypt.org/directory + +# admin :2019 +# log { +# output file caddy.log +# level info +# } + + servers { + trusted_proxies static private_ranges + } + +} + +# -------------------------------------------------- +# cloudflare tls snippet for sites +# -------------------------------------------------- + +(cloudflare) { + tls { + dns cloudflare {env.DNS_PROVIDER_TOKEN} + resolvers 1.1.1.1 1.0.0.1 + } +} + +# -------------------------------------------------- +# auth snippet for authelia +# -------------------------------------------------- + +(auth) { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } +} + +# -------------------------------------------------- +# wettsten.com root domain +# -------------------------------------------------- + +wettsten.com { + import cloudflare + @akanealwcom host wettsten.com + handle @akanealwcom { + import auth + reverse_proxy 192.168.1.4:3005 + } +} + +# -------------------------------------------------- +# authelia subdomain +# -------------------------------------------------- + +auth.wettsten.com { + import cloudflare + reverse_proxy authelia:9091 +} + +# -------------------------------------------------- +# *.wettsten.com subdomains +# -------------------------------------------------- + +*.wettsten.com { +# -------------------------------------------------- +# internal only subdomains +# +# +# @ host .wettsten.com +# handle @ { +# handle @internal { +# reverse_proxy 192.168.1. +# } +# respond "ip range not allowed" +# } +# +# +# @ host .wettsten.com +# handle @ { +# handle @internal { +# reverse_proxy https://192.168.1. { +# transport http { +# tls_insecure_skip_verify +# } +# } +# } +# respond "ip range not allowed" +# } +# +# +# -------------------------------------------------- + @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + import cloudflare + + @adguard1 host adguardserver1.wettsten.com + handle @adguard1 { + handle @internal { + reverse_proxy 192.168.1.2:80 + } + respond "ip range not allowed" + } + + @bale host bale.wettsten.com + handle @bale { + handle @internal { + reverse_proxy 192.168.1.51:8080 + } + respond "ip range not allowed" + } + + @dockerdockge host dockerserver-dockge.wettsten.com + handle @dockerdockge { + handle @internal { + reverse_proxy 192.168.1.30:5001 + } + respond "ip range not allowed" + } + + @dockerdozzle host dockerserver-dozzle.wettsten.com + handle @dockerdozzle { + handle @internal { + reverse_proxy 192.168.1.30:8080 + } + respond "ip range not allowed" + } + + @gluetun host gluetun.wettsten.com + handle @gluetun { + handle @internal { + reverse_proxy 192.168.1.30:8777 + } + respond "ip range not allowed" + } + + @proxmox1 host proxmox1.wettsten.com + handle @proxmox1 { + handle @internal { + reverse_proxy https://192.168.1.51:8006 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @proxmoxbackup host proxmoxbackup.wettsten.com + handle @proxmoxbackup { + handle @internal { + reverse_proxy https://192.168.1.51:8007 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @router host router.wettsten.com + handle @router { + handle @internal { + reverse_proxy https://192.168.1.1:443 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @webmin host webmin.wettsten.com + handle @webmin { + handle @internal { + reverse_proxy https://192.168.1.51:10000 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + + +# -------------------------------------------------- +# external subdomains without authelia +# +# +# @ host .wettsten.com +# handle @ { +# reverse_proxy 192.168.1. +# } +# +# +# -------------------------------------------------- + + @bitwarden host bitwarden.wettsten.com + handle @bitwarden { + reverse_proxy 192.168.1.4:8089 + } + + @jellyfin host jellyfin.wettsten.com + handle @jellyfin { + reverse_proxy 192.168.1.42:8096 + } + +# -------------------------------------------------- +# external subdomains with authelia +# +# +# @ host .wettsten.com +# handle @ { +# import auth +# reverse_proxy 192.168.1. +# } +# +# +# -------------------------------------------------- + + @whoami host whoami.wettsten.com + handle @whoami { + import auth + reverse_proxy whoami:80 + } + + +}