From 2c602f7f5697de2bb37172802f5f4f0a8e539def Mon Sep 17 00:00:00 2001 From: akanealw Date: Tue, 1 Apr 2025 17:08:08 -0500 Subject: [PATCH] added most recent caddyfile --- Caddyfile | 690 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 670 insertions(+), 20 deletions(-) diff --git a/Caddyfile b/Caddyfile index d4d12db..090ee32 100755 --- a/Caddyfile +++ b/Caddyfile @@ -1,26 +1,676 @@ -# The Caddyfile is an easy way to configure your Caddy web server. -# -# Unless the file starts with a global options block, the first -# uncommented line is always the address of your site. -# -# To use your own domain name (with automatic HTTPS), first make -# sure your domain's A/AAAA DNS records are properly pointed to -# this machine's public IP, then replace ":80" below with your -# domain name. +# -------------------------------------------------- +# global options +# -------------------------------------------------- -:80 { - # Set this path to your site's directory. - root * /usr/share/caddy +{ + acme_ca https://acme-staging-v02.api.letsencrypt.org/directory - # Enable the static file server. - file_server + admin :2019 +# log { +# output file caddy.log +# level info +# } - # Another common task is to set up a reverse proxy: - # reverse_proxy localhost:8080 + servers { + trusted_proxies static private_ranges + } - # Or serve a PHP site through php-fpm: - # php_fastcgi localhost:9000 } -# Refer to the Caddy docs for more information: -# https://caddyserver.com/docs/caddyfile +# -------------------------------------------------- +# cloudflare tls snippet for sites +# -------------------------------------------------- + +(cloudflare) { + tls { + dns cloudflare {env.DNS_PROVIDER_TOKEN} + resolvers 1.1.1.1 1.0.0.1 + } +} + +# -------------------------------------------------- +# auth snippet for authentik +# -------------------------------------------------- + +(authentik) { + reverse_proxy /outpost.goauthentik.io/* authentik-server:9000 + + forward_auth authentik-server:9000 { + uri /outpost.goauthentik.io/auth/caddy + copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version + } +} + +(auth) { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } +} + +# -------------------------------------------------- +# akanealw.com root domain +# -------------------------------------------------- + +akanealw.com { + import cloudflare + @akanealwcom host akanealw.com + handle @akanealwcom { + import auth + reverse_proxy 192.168.1.4:3005 + } +} + +# -------------------------------------------------- +# authentik subdomain +# -------------------------------------------------- + +authentik.akanealw.com { + import cloudflare + reverse_proxy authentik-server:9000 +} + +# -------------------------------------------------- +# authelia subdomain +# -------------------------------------------------- + +auth.akanealw.com { + import cloudflare + reverse_proxy authelia:9091 +} + +# -------------------------------------------------- +# *.akanealw.com subdomains +# -------------------------------------------------- + +*.akanealw.com { +# -------------------------------------------------- +# internal only subdomains +# +# +# @ host .akanealw.com +# handle @ { +# handle @internal { +# reverse_proxy 192.168.1. +# } +# respond "ip range not allowed" +# } +# +# +# @ host .akanealw.com +# handle @ { +# handle @internal { +# reverse_proxy https://192.168.1. { +# transport http { +# tls_insecure_skip_verify +# } +# } +# } +# respond "ip range not allowed" +# } +# +# +# -------------------------------------------------- + @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + import cloudflare + + @checkmk host checkmk.akanealw.com + handle @checkmk { + handle @internal { + reverse_proxy 192.168.1.4:8888 + } + respond "ip range not allowed" + } + + @linkwarden host linkwarden.akanealw.com + handle @linkwarden { + handle @internal { + reverse_proxy 192.168.1.4:3232 + } + respond "ip range not allowed" + } + + @adguard1 host adguardserver1.akanealw.com + handle @adguard1 { + handle @internal { + reverse_proxy 192.168.1.2:80 + } + respond "ip range not allowed" + } + + @adguard2 host adguardserver2.akanealw.com + handle @adguard2 { + handle @internal { + reverse_proxy 192.168.1.3:80 + } + respond "ip range not allowed" + } + + @bale host bale.akanealw.com + handle @bale { + handle @internal { + reverse_proxy 192.168.1.51:8080 + } + respond "ip range not allowed" + } + + @cronicle host cronicle.akanealw.com + handle @cronicle { + handle @internal { + reverse_proxy 192.168.1.30:3012 + } + respond "ip range not allowed" + } + + @devdockge host dev-dockge.akanealw.com + handle @devdockge { + handle @internal { + reverse_proxy 192.168.1.35:5001 + } + respond "ip range not allowed" + } + + @devdozzle host dev-dozzle.akanealw.com + handle @devdozzle { + handle @internal { + reverse_proxy 192.168.1.35:8080 + } + respond "ip range not allowed" + } + + @dockerdockge host dockerserver-dockge.akanealw.com + handle @dockerdockge { + handle @internal { + reverse_proxy 192.168.1.30:5001 + } + respond "ip range not allowed" + } + + @dockerdozzle host dockerserver-dozzle.akanealw.com + handle @dockerdozzle { + handle @internal { + reverse_proxy 192.168.1.30:8080 + } + respond "ip range not allowed" + } + + @dockertestdockge host dockerservertest-dockge.akanealw.com + handle @dockertestdockge { + handle @internal { + reverse_proxy 192.168.1.33:5001 + } + respond "ip range not allowed" + } + + @dockertestdozzle host dockerservertest-dozzle.akanealw.com + handle @dockertestdozzle { + handle @internal { + reverse_proxy 192.168.1.33:8080 + } + respond "ip range not allowed" + } + + @proxyserverdockge host proxyserver-dockge.akanealw.com + handle @proxyserverdockge { + handle @internal { + reverse_proxy 192.168.1.4:5001 + } + respond "ip range not allowed" + } + + @proxyserverdozzle host proxyserver-dozzle.akanealw.com + handle @proxyserverdozzle { + handle @internal { + reverse_proxy 192.168.1.4:8080 + } + respond "ip range not allowed" + } + + @files host files.akanealw.com + handle @files { + handle @internal { + redir / /files{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @icons host icons.akanealw.com + handle @icons { + handle @internal { + rewrite * /files/icons{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @gluetun host gluetun.akanealw.com + handle @gluetun { + handle @internal { + reverse_proxy 192.168.1.30:8777 + } + respond "ip range not allowed" + } + + @peanut host peanut.akanealw.com + handle @peanut { + handle @internal { + reverse_proxy 192.168.1.30:8980 + } + respond "ip range not allowed" + } + + @photoprism host photoprism.akanealw.com + handle @photoprism { + handle @internal { + reverse_proxy 192.168.1.30:2342 + } + respond "ip range not allowed" + } + + @photoprismdadandmom host photos.akanealw.com + handle @photoprismdadandmom { + handle @internal { + reverse_proxy 192.168.1.25:2342 + } + respond "ip range not allowed" + } + + @proxmox1 host proxmox1.akanealw.com + handle @proxmox1 { + handle @internal { + reverse_proxy https://192.168.1.51:8006 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @proxmox2 host proxmox2.akanealw.com + handle @proxmox2 { + handle @internal { + reverse_proxy https://192.168.1.52:8006 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @proxmoxbackup host proxmoxbackup.akanealw.com + handle @proxmoxbackup { + handle @internal { + reverse_proxy https://192.168.1.51:8007 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @router host router.akanealw.com + handle @router { + handle @internal { + reverse_proxy https://192.168.1.1:443 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @rssbridge host rss-bridge.akanealw.com + handle @rssbridge { + handle @internal { + reverse_proxy 192.168.1.30:3006 + } + respond "ip range not allowed" + } + + @invidious host invidious.akanealw.com + handle @invidious { + handle @internal { + reverse_proxy 192.168.1.30:3000 + } + respond "ip range not allowed" + } + + @scripts host scripts.akanealw.com + handle @scripts { + handle @internal { + redir / /scripts{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @speedtest host speedtest.akanealw.com + handle @speedtest { + handle @internal { + reverse_proxy 192.168.1.30:8765 + } + respond "ip range not allowed" + } + + @dockersyncthing host dockerserver-syncthing.akanealw.com + handle @dockersyncthing { + handle @internal { + reverse_proxy https://192.168.1.30:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @gamingpcsyncthing host gamingpc-syncthing.akanealw.com + handle @gamingpcsyncthing { + handle @internal { + reverse_proxy https://192.168.1.11:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @laptoppcsyncthing host laptoppc-syncthing.akanealw.com + handle @laptoppcsyncthing { + handle @internal { + reverse_proxy https://192.168.1.12:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @webmin host webmin.akanealw.com + handle @webmin { + handle @internal { + reverse_proxy https://192.168.1.51:10000 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @wireguardui host wireguardui.akanealw.com + handle @wireguardui { + handle @internal { + reverse_proxy 192.168.1.4:5000 + } + respond "ip range not allowed" + } + + @zabbix host zabbix.akanealw.com + handle @zabbix { + handle @internal { + reverse_proxy 192.168.1.44:8080 + } + respond "ip range not allowed" + } + + @piholewg host pihole-wg.akanealw.com + handle @piholewg { + handle @internal { + redir / /admin{uri} + reverse_proxy 192.168.1.4:3000 + } + respond "ip range not allowed" + } + +# -------------------------------------------------- +# external subdomains without authentik +# +# +# @ host .akanealw.com +# handle @ { +# reverse_proxy 192.168.1. +# } +# +# +# -------------------------------------------------- + + @bitwarden host bitwarden.akanealw.com + handle @bitwarden { + reverse_proxy 192.168.1.4:8089 + } + + @giteadocker host gitea-docker.akanealw.com + handle @giteadocker { + reverse_proxy 192.168.1.4:3001 + } + + @gitea host gitea.akanealw.com + handle @gitea { + reverse_proxy 192.168.1.50:3000 + } + + @jellyfin host jellyfin.akanealw.com + handle @jellyfin { + reverse_proxy 192.168.1.42:8096 + } + +# -------------------------------------------------- +# external subdomains with authentik +# +# +# @ host .akanealw.com +# handle @ { +# import auth +# reverse_proxy 192.168.1. +# } +# +# +# -------------------------------------------------- + + @memos host memos.akanealw.com + handle @memos { + handle @external { + import auth + } + reverse_proxy 192.168.1.4:5230 + } + + @whoami host whoami.akanealw.com + handle @whoami { + import auth + reverse_proxy whoami:80 + } + + @wallos host wallos.akanealw.com + handle @wallos { + import auth + reverse_proxy 192.168.1.4:8389 + } + + @homepage host www.akanealw.com + handle @homepage { + import auth + reverse_proxy 192.168.1.4:3005 + } + + @filebrowser host filebrowser.akanealw.com + handle @filebrowser { + import auth + reverse_proxy 192.168.1.30:8484 + } + + @archive host archive.akanealw.com + handle @archive { + import auth + reverse_proxy 192.168.1.30:8283 + } + + @archivebox host archivebox.akanealw.com + handle @archivebox { + import auth + reverse_proxy 192.168.1.30:8283 + } + + @codeserver host codeserver.akanealw.com + handle @codeserver { + import auth + reverse_proxy 192.168.1.50:3001 + } + + @freshrss host freshrss.akanealw.com + handle @freshrss { + import auth + reverse_proxy 192.168.1.30:8088 + } + + @jackett host jackett.akanealw.com + handle @jackett { + import auth + reverse_proxy 192.168.1.30:9117 + } + + @jdownloader host jdownloader.akanealw.com + handle @jdownloader { + import auth + reverse_proxy 192.168.1.30:5800 + } + + @jellyseerr host jellyseerr.akanealw.com + handle @jellyseerr { + import auth + reverse_proxy 192.168.1.30:5056 + } + + @kavita host kavita.akanealw.com + handle @kavita { + import auth + reverse_proxy 192.168.1.30:5002 + } + + @lidarr host lidarr.akanealw.com + handle @lidarr { + import auth + reverse_proxy 192.168.1.30:8686 + } + + @metube host metube.akanealw.com + handle @metube { + import auth + reverse_proxy 192.168.1.30:8082 + } + + @mstream host mstream.akanealw.com + handle @mstream { + import auth + reverse_proxy 192.168.1.30:3001 + } + + @nzbhydra host nzbhydra.akanealw.com + handle @nzbhydra { + import auth + reverse_proxy 192.168.1.30:5076 + } + + @olivetin host olivetin.akanealw.com + handle @olivetin { + import auth + reverse_proxy 192.168.1.30:1337 + } + + @opengist host opengist.akanealw.com + handle @opengist { + import auth + reverse_proxy opengist:6157 + } + + @paperless host paperless.akanealw.com + handle @paperless { + import auth + reverse_proxy 192.168.1.30:8112 + } + + @prowlarr host prowlarr.akanealw.com + handle @prowlarr { + import auth + reverse_proxy 192.168.1.30:9696 + } + + @qbittorrent host qbittorrent.akanealw.com + handle @qbittorrent { + import auth + reverse_proxy 192.168.1.30:8282 + } + + @radarr host radarr.akanealw.com + handle @radarr { + import auth + reverse_proxy 192.168.1.30:7878 + } + + @sabnzbd host sabnzbd.akanealw.com + handle @sabnzbd { + import auth + reverse_proxy 192.168.1.30:8181 + } + + @shlinkweb host shlink.akanealw.com + handle @shlinkweb { + import auth + reverse_proxy 192.168.1.30:8381 + } + + @sonarr host sonarr.akanealw.com + handle @sonarr { + import auth + reverse_proxy 192.168.1.30:8989 + } + + @spdf host spdf.akanealw.com + handle @spdf { + import auth + reverse_proxy 192.168.1.30:8086 + } + + @ittools host it-tools.akanealw.com + handle @ittools { + import auth + reverse_proxy 192.168.1.30:8383 + } + + @wikidocs host wiki.akanealw.com + handle @wikidocs { + import auth + reverse_proxy 192.168.1.30:8022 + } + +} + +# -------------------------------------------------- +# aknlw.com root domain +# -------------------------------------------------- + +aknlw.com { + import cloudflare + @shlink host aknlw.com + handle @shlink { + reverse_proxy 192.168.1.30:8380 + } +} + +# -------------------------------------------------- +# *.aknlw.com subdomains +# -------------------------------------------------- + +repo.aknlw.com { + import cloudflare + reverse_proxy 192.168.1.50:3000 +}