Reverse-Proxy: Difference between revisions
No edit summary |
No edit summary |
||
Line 53: | Line 53: | ||
│ ├─ 102_reverse_proxy | │ ├─ 102_reverse_proxy | ||
│ ├─ ... | │ ├─ ... | ||
├─ security | ├─ security | ||
├─ vm/ | ├─ vm/ | ||
Line 59: | Line 58: | ||
│ ├─ 201_home_assitant | │ ├─ 201_home_assitant | ||
│ ├─ ... | │ ├─ ... | ||
</syntaxhighlight> | |||
<p>"Caddyfile" containts general caddy configuration</p> | |||
<syntaxhighlight lang="console"> | |||
</syntaxhighlight> | |||
<p>"users.json" is created by the security plugin an contains the [https://authp.github.io/docs/authenticate/local/local local users]</p> | |||
<p>"security" contains configuration for the auth portal (security plugin)</p> | |||
<syntaxhighlight lang="console"> | |||
</syntaxhighlight> | |||
# =========== AUTH-PORTAL SETTINGS =========== | |||
{ | |||
# Global security setting | |||
order authenticate before respond | |||
order authorize before reverse_proxy | |||
# Configure how to handle login credentials | |||
# With this config they are stored locally in users.json | |||
security { | |||
local identity store localdb { | |||
realm local | |||
path /home/caddy/auth/local/users.json | |||
} | |||
# Configure the authentication portal | |||
authentication portal myportal { | |||
# Key handling settings | |||
# Stay logged in for 12h | |||
crypto default token lifetime 43200 | |||
crypto key sign-verify {env.JWT_SHARED_KEY} | |||
# Identity providers | |||
enable identity store localdb | |||
# Cooke settigs | |||
cookie domain flowerhouse.at | |||
# Links shown in authentication portal | |||
ui { | |||
links { | |||
# ICONS: https://icons8.com/line-awesome | |||
"My Identity" "/whoami" icon "las la-user" | |||
"Portal Settings" "/settings" icon "las la-c> | |||
} | |||
} | |||
# Configure how to handle local user | |||
transform user { | |||
# Check with identity provider "local" | |||
match origin local | |||
# Add user role | |||
action add role authp/user | |||
# Force Multi-Factor Authentication | |||
require mfa | |||
} | |||
} | |||
# Create admin policy | |||
authorization policy admins_policy { | |||
set auth url https://auth.flowerhouse.at | |||
allow roles authp/admin authp/user | |||
crypto key verify {env.JWT_SHARED_KEY} | |||
} | |||
} | |||
} | |||
</syntaxhighlight> | |||
<p>"lxc/" contains proxy config for every ProxMox LXC, for example:</p> | |||
<syntaxhighlight lang="console"> | |||
# =========== LXC 101 - AdGuard =========== | |||
dns.flowerhouse.at { | |||
# Import security and privacy headers | |||
import security_header | |||
import content_policy | |||
# Use auth portal for security | |||
authorize with admins_policy | |||
reverse_proxy http://192.168.88.4:80 | |||
} | |||
</syntaxhighlight> | |||
<p>"vm/" contains proxy config for every ProxMox VM, for example:</p> | |||
<syntaxhighlight lang="console"> | |||
# =========== VM 200 - TrueNAS =========== | |||
nas.flowerhouse.at { | |||
# Import security and privacy headers | |||
import security_header | |||
import content_policy | |||
# Additional content policy | |||
header Access-Control-Allow-Origin: https://nas.flowerhouse.at https://nas.f> | |||
header Access-Control-Allow-Methods: GET | |||
#header Access-Control-Allow-Credentials: true | |||
# Use auth portal for security | |||
authorize with admins_policy | |||
# WebUI | |||
reverse_proxy http://192.168.88.5:80 | |||
} | |||
</syntaxhighlight> | |||
<p></p> | |||
<syntaxhighlight lang="console"> | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 23:12, 11 February 2023
IP: | 192.168.88.3 |
---|---|
MAC: | 56:59:71:B1:85:BC |
OS: | Debian Bullseye |
---|---|
Files: | x |
RAM: | 1024MB |
Cores: | 1 |
Privileged: | No |
The ReverseProxy is reachable under 192.168.88.3
which is located in the ServerVLAN.
Every incoming packages from outside are forwarded to this IP.
The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a SSL-Certificate.
Previously Nginx Proxy Manager and Authelia was used for ReverseProxy: Guide
Now Caddy2 is used for the ReverseProxy, because it's more stable and integrated
Caddy Installation
Download Caddy2 with Security Plugin
Copy binary to directory
mv ./caddy_linux_amd64_custom /usr/bin/caddy
Create user and group
addgroup caddy
adduser --system caddy
adduser caddy caddy
Set permissions for binary
chown caddy:caddy /usr/bin/caddy
chmod 770 /usr/bin/caddy
Create caddy file
nano /home/caddy/Caddyfile
In my installation I separated many config files for better overview:
/home/caddy/
├─ Caddyfile
├─ auth/
│ ├─ local/
│ │ ├─ users.json
├─ lxc/
│ ├─ 101_adguard
│ ├─ 102_reverse_proxy
│ ├─ ...
├─ security
├─ vm/
│ ├─ 200_truenas
│ ├─ 201_home_assitant
│ ├─ ...
"Caddyfile" containts general caddy configuration
"users.json" is created by the security plugin an contains the local users
"security" contains configuration for the auth portal (security plugin)
- =========== AUTH-PORTAL SETTINGS ===========
{
# Global security setting order authenticate before respond order authorize before reverse_proxy
# Configure how to handle login credentials # With this config they are stored locally in users.json security { local identity store localdb { realm local path /home/caddy/auth/local/users.json }
# Configure the authentication portal authentication portal myportal { # Key handling settings # Stay logged in for 12h crypto default token lifetime 43200 crypto key sign-verify {env.JWT_SHARED_KEY}
# Identity providers enable identity store localdb
# Cooke settigs cookie domain flowerhouse.at
# Links shown in authentication portal ui { links { # ICONS: https://icons8.com/line-awesome "My Identity" "/whoami" icon "las la-user" "Portal Settings" "/settings" icon "las la-c> } }
# Configure how to handle local user transform user { # Check with identity provider "local" match origin local
# Add user role action add role authp/user
# Force Multi-Factor Authentication require mfa } }
# Create admin policy authorization policy admins_policy { set auth url https://auth.flowerhouse.at allow roles authp/admin authp/user crypto key verify {env.JWT_SHARED_KEY} } }
} </syntaxhighlight>
"lxc/" contains proxy config for every ProxMox LXC, for example:
# =========== LXC 101 - AdGuard ===========
dns.flowerhouse.at {
# Import security and privacy headers
import security_header
import content_policy
# Use auth portal for security
authorize with admins_policy
reverse_proxy http://192.168.88.4:80
}
"vm/" contains proxy config for every ProxMox VM, for example:
# =========== VM 200 - TrueNAS ===========
nas.flowerhouse.at {
# Import security and privacy headers
import security_header
import content_policy
# Additional content policy
header Access-Control-Allow-Origin: https://nas.flowerhouse.at https://nas.f>
header Access-Control-Allow-Methods: GET
#header Access-Control-Allow-Credentials: true
# Use auth portal for security
authorize with admins_policy
# WebUI
reverse_proxy http://192.168.88.5:80
}