feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
This commit is contained in:
Executable
+73
@@ -0,0 +1,73 @@
|
||||
{
|
||||
https_port 8443
|
||||
http_port 8880
|
||||
servers {
|
||||
protocols h1 h2
|
||||
}
|
||||
}
|
||||
|
||||
# Authelia endpoint (no forward_auth on itself)
|
||||
auth.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
reverse_proxy localhost:9092
|
||||
}
|
||||
|
||||
# Protected services with forward_auth
|
||||
nas.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth localhost:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy localhost:4000
|
||||
}
|
||||
|
||||
music.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth localhost:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy localhost:4533 {
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
n8n.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth localhost:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy localhost:5678
|
||||
}
|
||||
|
||||
ldap.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth localhost:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy localhost:17170
|
||||
}
|
||||
|
||||
git.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth localhost:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy localhost:3300
|
||||
}
|
||||
Reference in New Issue
Block a user