feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s

- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
This commit is contained in:
Gan, Jimmy
2026-02-28 22:25:39 +08:00
parent 8c30fb7a3a
commit 3fd045aacb
8 changed files with 338 additions and 4 deletions
+73
View File
@@ -0,0 +1,73 @@
{
https_port 8443
http_port 8880
servers {
protocols h1 h2
}
}
# Authelia endpoint (no forward_auth on itself)
auth.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy localhost:9092
}
# Protected services with forward_auth
nas.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth localhost:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:4000
}
music.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth localhost:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:4533 {
flush_interval -1
}
}
n8n.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth localhost:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:5678
}
ldap.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth localhost:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:17170
}
git.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth localhost:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:3300
}
+54
View File
@@ -0,0 +1,54 @@
(security_headers) {
header {
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
-Server
}
}
(authelia) {
forward_auth 100.78.131.124:9092 {
uri /api/verify?rd=https://auth.jimmygan.com
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
# Authelia portal (no forward_auth on itself)
auth.jimmygan.com {
import security_headers
reverse_proxy 100.78.131.124:9092
}
# Protected services
nas.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:4000
}
music.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:4533 {
flush_interval -1
}
}
photos.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:2283 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
photos-app.jimmygan.com {
import security_headers
reverse_proxy 100.78.131.124:2283 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
+9
View File
@@ -0,0 +1,9 @@
address=/nas.jimmygan.com/100.78.131.124
address=/music.jimmygan.com/100.78.131.124
address=/n8n.jimmygan.com/100.78.131.124
address=/auth.jimmygan.com/100.78.131.124
address=/ldap.jimmygan.com/100.78.131.124
address=/git.jimmygan.com/100.78.131.124
server=223.5.5.5
server=119.29.29.29
no-resolv