From cb95adb2f29aaa2ed0366dc209c6b0fc86cb790b Mon Sep 17 00:00:00 2001 From: akanealw Date: Sun, 31 Mar 2024 10:30:30 -0500 Subject: [PATCH] added docker and reverseproxy --- .env | 16 +++ .gitignore | 0 {wireguard => reverseproxy}/.env | 6 +- .../authelia/add-to-protected-domains.conf | 10 ++ reverseproxy/authelia/auth.domain.conf | 4 + .../authelia/config/configuration.yml | 136 ++++++++++++++++++ .../authelia/config/users_database.yml | 8 ++ reverseproxy/compose.yml | 37 +++++ .../snippets/authelia-authrequest.conf | 25 ++++ .../snippets/authelia-location.conf | 36 +++++ .../snippets/authelia-proxy.conf | 8 ++ wireguard/compose.yml | 48 ------- 12 files changed, 281 insertions(+), 53 deletions(-) create mode 100755 .env create mode 100755 .gitignore rename {wireguard => reverseproxy}/.env (65%) create mode 100755 reverseproxy/authelia/add-to-protected-domains.conf create mode 100755 reverseproxy/authelia/auth.domain.conf create mode 100755 reverseproxy/authelia/config/configuration.yml create mode 100755 reverseproxy/authelia/config/users_database.yml create mode 100755 reverseproxy/compose.yml create mode 100755 reverseproxy/nginxproxymanager/snippets/authelia-authrequest.conf create mode 100755 reverseproxy/nginxproxymanager/snippets/authelia-location.conf create mode 100755 reverseproxy/nginxproxymanager/snippets/authelia-proxy.conf delete mode 100755 wireguard/compose.yml diff --git a/.env b/.env new file mode 100755 index 0000000..ac7ea68 --- /dev/null +++ b/.env @@ -0,0 +1,16 @@ +#GLOBAL SETTINGS +COMPOSE_HTTP_TIMEOUT=120 +COMPOSE_IGNORE_ORPHANS=1 +DOCKER_CONFIGS=. +DOCKERGID=999 +DOCKERHOSTNAME=DockerServer3 +DOCKERLOGGING_MAXFILE=10 +DOCKERLOGGING_MAXSIZE=200k +SERVERIP=192.168.1.34 +PGID=1000 +PUID=1000 +UMASK=000 +TZ=America/Chicago +BACKUP_DIR=/mnt/backups +MEDIA_DIR=/mnt/media +STORAGE_DIR=/mnt/storage diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..e69de29 diff --git a/wireguard/.env b/reverseproxy/.env similarity index 65% rename from wireguard/.env rename to reverseproxy/.env index 8da90e9..c8bf377 100755 --- a/wireguard/.env +++ b/reverseproxy/.env @@ -3,14 +3,10 @@ COMPOSE_HTTP_TIMEOUT=120 COMPOSE_IGNORE_ORPHANS=1 DOCKER_CONFIGS=. DOCKERGID=999 -DOCKERHOSTNAME=WireguardServer +DOCKERHOSTNAME=ProxyServer DOCKERLOGGING_MAXFILE=10 DOCKERLOGGING_MAXSIZE=200k PGID=1000 PUID=1000 UMASK=000 TZ=America/Chicago - -#WIREGUARD -WG_HOST=192.168.1.7 -WG_PASSWORD=zai9phioyachooF3Raengo2ooHaN7r diff --git a/reverseproxy/authelia/add-to-protected-domains.conf b/reverseproxy/authelia/add-to-protected-domains.conf new file mode 100755 index 0000000..693b139 --- /dev/null +++ b/reverseproxy/authelia/add-to-protected-domains.conf @@ -0,0 +1,10 @@ +include /snippets/authelia-location.conf; + +location / { + include /snippets/authelia-proxy.conf; + include /snippets/authelia-authrequest.conf; + proxy_pass $forward_scheme://$server:$port; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + proxy_set_header Accept-Encoding gzip; +} diff --git a/reverseproxy/authelia/auth.domain.conf b/reverseproxy/authelia/auth.domain.conf new file mode 100755 index 0000000..a814eb0 --- /dev/null +++ b/reverseproxy/authelia/auth.domain.conf @@ -0,0 +1,4 @@ +location / { + include /snippets/authelia-proxy.conf; + proxy_pass $forward_scheme://$server:$port; +} diff --git a/reverseproxy/authelia/config/configuration.yml b/reverseproxy/authelia/config/configuration.yml new file mode 100755 index 0000000..e8013ea --- /dev/null +++ b/reverseproxy/authelia/config/configuration.yml @@ -0,0 +1,136 @@ +theme: dark +jwt_secret: 9DGPzQy8SZQ7rV57V3DJnw + +#default_redirection_url: https://akanealw.com + +server: + host: 0.0.0.0 + port: 9091 + path: "" + buffers: + read: 4096 + write: 4096 + enable_pprof: false + enable_expvars: false + disable_healthcheck: false + tls: + key: "" + certificate: "" + +ntp: + address: "0.debian.pool.ntp.org:123" + version: 3 + max_desync: 3s + disable_startup_check: true + disable_failure: true + +log: + level: info + +totp: + disable: false + issuer: akanealw.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +authentication_backend: + password_reset: + disable: true + refresh_interval: 5m + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + +access_control: + default_policy: deny + networks: + - name: internal + networks: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + rules: + ## bypass all domains and subdomains from local ips + - domain: + - aknlw.com + - akanealw.com + - "*.akanealw.com" + networks: + - 'internal' + policy: bypass + ## bypass api for subdomains + - domain: + - "*.akanealw.com" + resources: + - "^/api([/?].*)?$" + - "^/add([/?].*)?$" + - "^/public([/?].*)?$" + policy: bypass + # bypass specific subdomains + - domain: + - aknlw.com + - bitwarden.akanealw.com + - gitea.akanealw.com + - nextcloud.akanealw.com + policy: bypass + # bypass filebrowser shares + - domain: + - "fileserver.akanealw.com" + resources: + - "^/api/public/dl/*" + - "/share/*" + - "/static/js/*" + - "/static/css/*" + - "/static/img/*" + - "/static/themes/*" + - "/static/fonts/*" + policy: bypass + # two_factor subdomains + - domain: + - akanealw.com + - "*.akanealw.com" + policy: two_factor + +session: + name: authelia_session + domain: akanealw.com + same_site: lax + secret: 8r9y4d8mY7NfQtpCe2oU + expiration: 6h + inactivity: 5m + remember_me_duration: 1w + +regulation: + max_retries: 3 + find_time: 10m + ban_time: 12h + +storage: + local: + path: /config/db.sqlite3 + encryption_key: iiB7C8Bn4A2gAhzs2fWaggUug76PZ4LU + +notifier: + disable_startup_check: true + smtp: + username: akanealw@gmail.com + password: qlvmffuzpscltdgz + host: smtp.gmail.com + port: 587 + sender: akanealw@gmail.com + identifier: dockerserver + subject: "[Authelia] {title}" + startup_check_address: akanealw@gmail.com + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false + minimum_version: TLS1.2 diff --git a/reverseproxy/authelia/config/users_database.yml b/reverseproxy/authelia/config/users_database.yml new file mode 100755 index 0000000..35ed2b2 --- /dev/null +++ b/reverseproxy/authelia/config/users_database.yml @@ -0,0 +1,8 @@ +users: + akanealw: + displayname: "akanealw" + password: "$argon2id$v=19$m=65536,t=1,p=8$ZWJ2UGVPUDE2SnU0YXNvNg$Q3LQfN90kPI5/3Yr06WmTUjFbvIBBZPJP44YLhysT0M" + email: akanealw@gmail.com + groups: + - admins + \ No newline at end of file diff --git a/reverseproxy/compose.yml b/reverseproxy/compose.yml new file mode 100755 index 0000000..fe7177c --- /dev/null +++ b/reverseproxy/compose.yml @@ -0,0 +1,37 @@ +services: + authelia: + container_name: authelia + image: authelia/authelia + environment: + - TZ=${TZ} + networks: + - reverse-proxy + ports: + - 9091:9091 + restart: always + volumes: + - ${DOCKER_CONFIGS}/authelia/config:/config + + nginxproxymanager: + container_name: nginxproxymanager + image: jc21/nginx-proxy-manager:2.10.4 + environment: + - X_FRAME_OPTIONS=sameorigin + - DB_SQLITE_FILE=/data/database.sqlite + networks: + - reverse-proxy + ports: + - 443:443/tcp + - 80:80/tcp + - 81:81/tcp + restart: always + volumes: + - ${DOCKER_CONFIGS}/nginxproxymanager/data:/data + - ${DOCKER_CONFIGS}/nginxproxymanager/letsencrypt:/etc/letsencrypt + - ${DOCKER_CONFIGS}/nginxproxymanager/snippets:/snippets:ro + - /etc/localtime:/etc/localtime:ro + +networks: + reverse-proxy: + name: reverse-proxy + external: true diff --git a/reverseproxy/nginxproxymanager/snippets/authelia-authrequest.conf b/reverseproxy/nginxproxymanager/snippets/authelia-authrequest.conf new file mode 100755 index 0000000..08b8d0f --- /dev/null +++ b/reverseproxy/nginxproxymanager/snippets/authelia-authrequest.conf @@ -0,0 +1,25 @@ +## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. +auth_request /authelia; + +## Set the $target_url variable based on the original request. + +## Comment this line if you're using nginx without the http_set_misc module. +set_escape_uri $target_url $scheme://$http_host$request_uri; + +## Uncomment this line if you're using NGINX without the http_set_misc module. +# set $target_url $scheme://$http_host$request_uri; + +## Save the upstream response headers from Authelia to variables. +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; + +## Inject the response headers from the variables into the request made to the backend. +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; + +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 =302 https://auth.akanealw.com/?rd=$target_url; \ No newline at end of file diff --git a/reverseproxy/nginxproxymanager/snippets/authelia-location.conf b/reverseproxy/nginxproxymanager/snippets/authelia-location.conf new file mode 100755 index 0000000..62c874d --- /dev/null +++ b/reverseproxy/nginxproxymanager/snippets/authelia-location.conf @@ -0,0 +1,36 @@ +set $upstream_authelia http://authelia:9091/api/verify; + +## Virtual endpoint created by nginx to forward auth requests. +location /authelia { + ## Essential Proxy Configuration + internal; + proxy_pass $upstream_authelia; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} \ No newline at end of file diff --git a/reverseproxy/nginxproxymanager/snippets/authelia-proxy.conf b/reverseproxy/nginxproxymanager/snippets/authelia-proxy.conf new file mode 100755 index 0000000..e42cecf --- /dev/null +++ b/reverseproxy/nginxproxymanager/snippets/authelia-proxy.conf @@ -0,0 +1,8 @@ +## Headers +proxy_set_header Host $host; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-For $remote_addr; diff --git a/wireguard/compose.yml b/wireguard/compose.yml deleted file mode 100755 index cee51a5..0000000 --- a/wireguard/compose.yml +++ /dev/null @@ -1,48 +0,0 @@ -version: '3' - -services: - adguardhome: - container_name: adguardhome - image: adguard/adguardhome - networks: - - reverse-proxy - ports: - - 53:53/tcp - - 53:53/udp - - 3000:3000/tcp - restart: unless-stopped - volumes: - - ${DOCKER_CONFIGS}/adguardhome/conf:/opt/adguardhome/conf - - ${DOCKER_CONFIGS}/adguardhome/work:/opt/adguardhome/work - - wg-easy: - container_name: wg-easy - image: ghcr.io/wg-easy/wg-easy - environment: - - WG_HOST=wireguard.akanealw.com - - PASSWORD=zai9phioyachooF3Raengo2ooHaN7r - - WG_DEFAULT_DNS=10.10.0.2 - - WG_PORT=51820 - - WG_PERSISTENT_KEEPALIVE=25 - - WG_DEFAULT_ADDRESS=10.10.0.x - - WG_MTU=1420 - - WG_ALLOWED_IPS=10.10.0.0/24 - cap_add: - - NET_ADMIN - - SYS_MODULE - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.src_valid_mark=1 - networks: - - reverse-proxy - ports: - - 51820:51820/udp - - 51821:51821 - restart: always - volumes: - - ${DOCKER_CONFIGS}/wg-easy:/etc/wireguard - -networks: - reverse-proxy: - name: reverse-proxy - external: true