john/Prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add caddy/Caddyfile

Browse Source
This commit is contained in:
john
2025-11-27 16:51:18 +00:00
parent 29c72586da
commit 06c9b0abe8
1 changed files with 237 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

237
caddy/Caddyfile Normal file
View File

@@ -0,0 +1,237 @@
# Caddyfile on production cluster
{
# Global options, omly one such block at the head of the file
servers {
trusted_proxies static 192.168.1.0/24 2a00:23c6::/32
}
# make admin available to all trusted nodes on the network
admin :2019
metrics
}
#
#
# For Authelis
#
(trusted_proxy_list) {
trusted_proxies 192.168.1.0/24 2a00:23c6::/32
}
(secure_site) {
forward_auth {args[0]} 192.168.1.1:9091 {
uri /api/verify?rd=https://auth.johnsnexus.click
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
import trusted_proxy_list
header_up Host {upstream_hostport}
}
}
#
# it appears you need this to allow prometheus on a remote node to scrape the metrics
:2019 {
handle {
metrics
}
}
#
# Snippet for basic authorisation
#
(basic-auth) {
basic_auth {
john.anderson $2a$10$T.yetVs9CmektYsaU8RqYu37fVaFAsPDLf90lsDDfxLkaC.zWH3Oi
mary.anderson $2a$10$UOuB5DpDcKRho0rRPDCmCeFlDSx/f6Bkwqpw8CEeQCbAGA0yULcny
frazer.anderson $2a$10$UleGw5O0BB18XtSenFSawudO.qKbNVMFU772XMP4cAAUbWzRo/zr6
chris.anderson $2a$10$1MeL9m8M7FW/k6/DW3HB1.rkijS3qao8RraNO/tJKN8OuRTCzc3fK
ruth.hoyos $2a$10$9z/3SajAWhxJfu6Xs1lbEeuPpZWUzcuBI/8n5hfv5FUqt11Uxo92S
sarah.anderson-beecham $2a$10$.8J1FMBwGDr8XSXCMWcn2ODxSW6txLEqSBHZmA6zQs8qQCDT2KbR2
fiona.green $2a$10$Nid0Lg6Wauwi/5BN4N2H5u8T6XumK4EE2MBxZaKXajxUAuUXPEvGO
helen.crichton $2a$10$zOcnxMCr62NtNK3YTaWbRuOclI/lC1Lkn1RidTOxkgBTgruQgfg9K
david.rawsthorne $2a$10$OIALdPjjQT6i5exUg8GtmOGk4BD4WmanmDhF7wCVH/IbpQQSt6PAS
peter.rawsthorne $2a$10$asUwJpdwc4QlGc8b1A1v7ukBCIQTlzm59uRnBH6AnWiK6NAECW03S
marilyn.pope $2a$10$6iD1J3FVmFbY7i02gQaF0eu1fY4ufUsXiXMyc1G9YfXbYKwuamjI2
alan.potts $2a$10$tzbIZwIuzcdrIzJICIS1oeadwoKyr3JqL2Ec9aB8Dj.MR4Q7lMcV.
kate.griffin $2a$10$9R57yOgGilEPZNwCbjWHeOu/ytTv4SLbW0P/plRnI.GqHe3w3IJjO
craig.johnson $2a$10$LQf3tK0ZHl63LHybpDfSdu1WT9OtcLeNZTfCwniPlmuqHiNF.yOq6
grant.johnson $2a$10$7XZ3aoQdL/fLex48t6hgi.p9Xt3yNJNIXJKflxChprwT5O9zPy2hG
barbara.wright $2a$10$Mlp0Y2wPzzomL1EnTInS2u18yv7ksMY.ATURzQz4luRRe2JwBMEJS
janet.kennedy $2a$10$/8VCpm68CLSF2zSL5sHtR.hzwJ.h3cX3r8XHogHbz8o7KIYPDHOVW
}
}
#
# Authelia from HOSTS
#
auth.johnsnexus.click {
reverse_proxy 192.168.1.1:9091 {
import trusted_proxy_list
}
}
#
# Locally hosted site
#
testcaddy.johnsnexus.click {
root * /usr/share/caddy # compose file points to this
php_fastcgi 192.168.1.1:80
file_server
}
#
# Family history web site via container on this cluster
#
sandancer.ddnsfree.com {
root * /var/www/html
file_server
# reverse_proxy 192.168.1.1:8888
reverse_proxy famhistweb_famhistweb
}
#
# PocketID OIDC security, come here from DYNU, running on OMEGA to access token device
#
https://hold.johnsnexus.click {
reverse_proxy 192.168.1.5:1411
}
#
# Test GHOST site on ELITE cluster
#
ghost.johnsnexus.click {
root * /var/www/mymag
file_server
reverse_proxy 192.168.1.4:2368
}
#
# Fanily History Web site on Production cluster system, come here via HOSTS file
#
nextfamhistweb.johnsnexus.click {
# import basic-auth
import secure_site *
# root * /usr/local/apache2/htdocs
# file_server
reverse_proxy nextfamhistweb_nextfamhistweb {
import trusted_proxy_list
}
}
#
# Test web site on Production Cluster, come here via HOSTS file
# an example of a non-secure site on a different domain
#
http://northweb.johns.study {
import basic-auth
root * /usr/local/apache2/htdocs
file_server
reverse_proxy testweb_testweb
}
#
# Test version of paperless-ngx on Elite cluster, come here via HOSTS file
#
wastebin.johnsnexus.click {
file_server
reverse_proxy 192.168.1.4:8600
}
#
# Version of pydio cells on NODE-16 using SAMBA volume - DYNU public address
#
pydiocells.johnsnexus.click {
# tls tls@johnsnexus.click
reverse_proxy 192.168.1.4:8888 {
transport http {
tls
tls_insecure_skip_verify
}
}
}
#
# Nextcloud AIO on NODE-16, was Beta (220 or 9)
#
https://amudanan.johnsnexus.click:443 {
header Strict-Transport-Security max-age=15552000
file_server
reverse_proxy http://192.168.1.16:11000
}
#
# OWNCLOUD on BEES swarm via DYNU
#
mycloud.johnsnexus.click {
header Strict-Transport-Security max-age=15552000
file_server
reverse_proxy 192.168.1.3:8080
}
#
code.johnsnexus.click {
encode gzip
file_server
reverse_proxy https://192.168.1.3:9980 {
transport http {
tls_insecure_skip_verify
}
}
}
#
# Vaultwarden on Production Cluster, come here via HOSTS
#
#warden.johnsnexus.click {
# reverse_proxy http://192.168.1.1:80
#}
#
# SongKong on VALHALLA, come here via DYNU
https://chord.johnsnexus.click {
root * /music
file_server
reverse_proxy http://192.168.1.7:4567
}
##
# n8n running on DELTA, come here via DYNU
#
donut.johnsnexus.click {
reverse_proxy http://192.168.1.10:5678 {
flush_interval -1
}
}
#
# CTiO magazine using Ghost on production
#
ctio.johnsnexus.click {
file_server
reverse_proxy 192.168.1.1:2368
}
#
#****************************************
#
# Hoarder from hosts file, keep in extenal domain
# Needs SSL; leave as explicit address; use 3200 as gitea uses 3000
#
hoarder.johnsnexus.click {
reverse_proxy 192.168.1.4:3200
}
#
# # although "prod" it runs on Elite Cluster
grafana.johnsnexus.click {
# file_server
reverse_proxy 192.168.1.4:3030
}
# new gitea on elite cluster
mygit.johnsnexus.click {
reverse_proxy 192.168.1.4:3000
}
#
# copy of mygit on the production cluster
gitea.johnsnexus.click {
file_server
reverse_proxy 192.168.1.1:3000
}
#
gotify.johnsnexus.click {
reverse_proxy 192.168.1.4:8111
}
#
# Portainer manageed on ELITE cluster, come here via HOSTS
# Use port 9000 not 9443
portainer.johnsnexus.click {
reverse_proxy 192.168.1.4:9000
}
#
# Open Media Vault from HOSTS file
#
omv.valhalla.johnsnexus.click {
reverse_proxy 192.168.1.7
}
#
omv.paradise.johnsnexus.click {
reverse_proxy 192.168.1.8
}