Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new env var options to restrict a cluster. cleaner/simpler if -v- range usage #12

Merged
merged 3 commits into from
Nov 5, 2024
Merged

new env var options to restrict a cluster. cleaner/simpler if -v- range usage #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
86fcc17
new env var options to restrict a cluster. cleaner/simpler `if` -v- …
traceypooh Nov 1, 2024
30b2841
standardized 403 msg
traceypooh Nov 2, 2024
5941484
adding SELF_MANAGED_CERTS option
traceypooh Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ ENV TRUSTED_PROXIES "private_ranges"
ENV FIRST ""
ENV REVERSE_PROXY ""
ENV ON_DEMAND_TLS_ASK ""
ENV HTTP_DISABLED ""
ENV ALLOWED_REMOTE_IPS ""
ENV SELF_MANAGED_CERTS ""
ENV HOST_UNAME Linux

# replaced at runtime:
Expand Down
75 changes: 56 additions & 19 deletions etc/Caddyfile.ctmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
on_demand_tls {
ask {{ env "ON_DEMAND_TLS_ASK" }}
interval 1m
Expand All @@ -19,41 +19,50 @@ http:// {


# start off with nice, easy way(s) to get to nomad

{{ range env "NOMAD_ADDR_EXTRA" | split "," }}
{{- $NAMES_INTO_NOMAD := env "FQDN" }}
{{- $extra := env "NOMAD_ADDR_EXTRA" }}
{{- if ne $extra "" }}
{{ $NAMES_INTO_NOMAD = (print $NAMES_INTO_NOMAD "," $extra) }}
{{- end }}
{{- range $NAMES_INTO_NOMAD | split "," }}
https://{{- . }} {
reverse_proxy localhost:4646
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
tls {
on_demand
}
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}
log
}
{{ end }}


{{ env "FQDN" }} {
reverse_proxy localhost:4646
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
reverse_proxy localhost:4646
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := . }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
{{ end }}


# REVERSE_PROXY section start
{{ range env "REVERSE_PROXY" | split "," -}}
{{- $hosty := . | regexReplaceAll ":[0-9][0-9]+.*$" "" -}}
{{- $port := . | regexReplaceAll "^.*:([0-9][0-9]+).*$" "$1" -}}
{{- if . | regexMatch "^https://" -}}
{{ $hosty }} {
reverse_proxy localhost:{{ $port }}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $hosty }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
Expand All @@ -64,19 +73,28 @@ https://{{- . }} {
{{ else }}
https://{{ $hosty }} {
reverse_proxy localhost:{{ $port }}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $hosty }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
http://{{ $hosty }} {
{{ if eq (env "HTTP_DISABLED") "true" }}
respond Forbidden 403
{{ else }}
redir https://{host}{uri} permanent
{{ end }}
}
{{ end }}
{{ end }}

# REVERSE_PROXY section end


# NOTE: two styles of possible origins:
Expand Down Expand Up @@ -110,20 +128,38 @@ http://{{ $hosty }} {


{{ $origin }} {
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}

reverse_proxy {{ range $services }} {{ .Address }}:{{ .Port }} {{ end }} {
lb_policy least_conn
trusted_proxies {{ env "TRUSTED_PROXIES" }}
}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $origin }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}

{{- if $origin | regexReplaceAll "^https://" "" | regexMatch ":" }}{{- else }}
http://{{ $origin | regexReplaceAll "^https://" "" }} {
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}

{{ if eq (env "HTTP_DISABLED") "true" }}
respond Forbidden 403
{{ else }}
@hsts-on {
not {
header_regexp X-HSTS "off"
Expand All @@ -135,6 +171,7 @@ http://{{ $origin | regexReplaceAll "^https://" "" }} {
lb_policy least_conn
}
log
{{ end }}
}
{{- end -}}
{{- end -}}
Expand Down