Files
nas-tools/tmp_remote/Caddyfile_vps
T
Gan, Jimmy 3fd045aacb
Deploy Dashboard / deploy (push) Successful in 1m28s
feat: security hardening and HTTPS/SSO infrastructure configs
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00

55 lines
1.1 KiB
Plaintext

(security_headers) {
header {
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
-Server
}
}
(authelia) {
forward_auth 100.78.131.124:9092 {
uri /api/verify?rd=https://auth.jimmygan.com
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
# Authelia portal (no forward_auth on itself)
auth.jimmygan.com {
import security_headers
reverse_proxy 100.78.131.124:9092
}
# Protected services
nas.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:4000
}
music.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:4533 {
flush_interval -1
}
}
photos.jimmygan.com {
import security_headers
import authelia
reverse_proxy 100.78.131.124:2283 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
photos-app.jimmygan.com {
import security_headers
reverse_proxy 100.78.131.124:2283 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}