feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
This commit is contained in:
@@ -0,0 +1,54 @@
|
||||
(security_headers) {
|
||||
header {
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options SAMEORIGIN
|
||||
Referrer-Policy strict-origin-when-cross-origin
|
||||
X-XSS-Protection "1; mode=block"
|
||||
-Server
|
||||
}
|
||||
}
|
||||
|
||||
(authelia) {
|
||||
forward_auth 100.78.131.124:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
}
|
||||
|
||||
# Authelia portal (no forward_auth on itself)
|
||||
auth.jimmygan.com {
|
||||
import security_headers
|
||||
reverse_proxy 100.78.131.124:9092
|
||||
}
|
||||
|
||||
# Protected services
|
||||
nas.jimmygan.com {
|
||||
import security_headers
|
||||
import authelia
|
||||
reverse_proxy 100.78.131.124:4000
|
||||
}
|
||||
|
||||
music.jimmygan.com {
|
||||
import security_headers
|
||||
import authelia
|
||||
reverse_proxy 100.78.131.124:4533 {
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
photos.jimmygan.com {
|
||||
import security_headers
|
||||
import authelia
|
||||
reverse_proxy 100.78.131.124:2283 {
|
||||
header_up X-Forwarded-Proto https
|
||||
header_up X-Forwarded-Host {host}
|
||||
}
|
||||
}
|
||||
|
||||
photos-app.jimmygan.com {
|
||||
import security_headers
|
||||
reverse_proxy 100.78.131.124:2283 {
|
||||
header_up X-Forwarded-Proto https
|
||||
header_up X-Forwarded-Host {host}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user