Reverse-Proxy: Difference between revisions

From FlowerHouseWiki
No edit summary
No edit summary
Line 53: Line 53:
│  ├─ 102_reverse_proxy
│  ├─ 102_reverse_proxy
│  ├─ ...
│  ├─ ...
├─ network
├─ security
├─ security
├─ vm/
├─ vm/
Line 59: Line 58:
│  ├─ 201_home_assitant
│  ├─ 201_home_assitant
│  ├─ ...
│  ├─ ...
</syntaxhighlight>
<p>"Caddyfile" containts general caddy configuration</p>
<syntaxhighlight lang="console">
</syntaxhighlight>
<p>"users.json" is created by the security plugin an contains the [https://authp.github.io/docs/authenticate/local/local local users]</p>
<p>"security" contains configuration for the auth portal (security plugin)</p>
<syntaxhighlight lang="console">
</syntaxhighlight>
# =========== AUTH-PORTAL SETTINGS ===========
{
        # Global security setting
        order authenticate before respond
        order authorize before reverse_proxy
        # Configure how to handle login credentials
        # With this config they are stored locally in users.json
        security {
                local identity store localdb {
                        realm local
                        path /home/caddy/auth/local/users.json
                }
                # Configure the authentication portal
                authentication portal myportal {
                        # Key handling settings
                        # Stay logged in for 12h
                        crypto default token lifetime 43200
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        # Identity providers
                        enable identity store localdb
                        # Cooke settigs
                        cookie domain flowerhouse.at
                        # Links shown in authentication portal
                        ui {
                                links {
                                        # ICONS: https://icons8.com/line-awesome
                                        "My Identity" "/whoami" icon "las la-user"
                                        "Portal Settings" "/settings" icon "las la-c>
                                }
                        }
                        # Configure how to handle local user
                        transform user {
                                # Check with identity provider "local"
                                match origin local
                                # Add user role
                                action add role authp/user
                                # Force Multi-Factor Authentication
                                require mfa
                        }
                }
                # Create admin policy
                authorization policy admins_policy {
                        set auth url https://auth.flowerhouse.at
                        allow roles authp/admin authp/user
                        crypto key verify {env.JWT_SHARED_KEY}
                }
        }
}
</syntaxhighlight>
<p>"lxc/" contains proxy config for every ProxMox LXC, for example:</p>
<syntaxhighlight lang="console">
# =========== LXC 101 - AdGuard ===========
dns.flowerhouse.at {
        # Import security and privacy headers
        import security_header
        import content_policy
        # Use auth portal for security
        authorize with admins_policy
        reverse_proxy http://192.168.88.4:80
}
</syntaxhighlight>
<p>"vm/" contains proxy config for every ProxMox VM, for example:</p>
<syntaxhighlight lang="console">
# =========== VM 200 - TrueNAS ===========
nas.flowerhouse.at {
        # Import security and privacy headers
        import security_header
        import content_policy
        # Additional content policy
        header Access-Control-Allow-Origin: https://nas.flowerhouse.at https://nas.f>
        header Access-Control-Allow-Methods: GET
        #header Access-Control-Allow-Credentials: true   
        # Use auth portal for security
        authorize with admins_policy
        # WebUI
        reverse_proxy http://192.168.88.5:80
}
</syntaxhighlight>
<p></p>
<syntaxhighlight lang="console">
</syntaxhighlight>
</syntaxhighlight>



Revision as of 23:12, 11 February 2023

Reverse-Proxy-LXC
Reverse proxy.png

Network


IP: 192.168.88.3
MAC: 56:59:71:B1:85:BC

System


OS: Debian Bullseye
Files: x
RAM: 1024MB
Cores: 1
Privileged: No

The ReverseProxy is reachable under 192.168.88.3 which is located in the ServerVLAN.

Every incoming packages from outside are forwarded to this IP.

The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a SSL-Certificate.

Previously Nginx Proxy Manager and Authelia was used for ReverseProxy: Guide

Now Caddy2 is used for the ReverseProxy, because it's more stable and integrated

Caddy Installation

Download Caddy2 with Security Plugin

Copy binary to directory

mv ./caddy_linux_amd64_custom /usr/bin/caddy

Create user and group

addgroup caddy
adduser --system caddy
adduser caddy caddy

Set permissions for binary

chown caddy:caddy /usr/bin/caddy
chmod 770 /usr/bin/caddy

Create caddy file

nano /home/caddy/Caddyfile

In my installation I separated many config files for better overview:

/home/caddy/
├─ Caddyfile
├─ auth/
│  ├─ local/
│  │  ├─ users.json
├─ lxc/
│  ├─ 101_adguard
│  ├─ 102_reverse_proxy
│  ├─ ...
├─ security
├─ vm/
│  ├─ 200_truenas
│  ├─ 201_home_assitant
│  ├─ ...

"Caddyfile" containts general caddy configuration

"users.json" is created by the security plugin an contains the local users

"security" contains configuration for the auth portal (security plugin)

  1. =========== AUTH-PORTAL SETTINGS ===========

{

       # Global security setting
       order authenticate before respond
       order authorize before reverse_proxy
       # Configure how to handle login credentials
       # With this config they are stored locally in users.json
       security {
               local identity store localdb {
                       realm local
                       path /home/caddy/auth/local/users.json
               }
               # Configure the authentication portal
               authentication portal myportal {
                       # Key handling settings
                       # Stay logged in for 12h
                       crypto default token lifetime 43200
                       crypto key sign-verify {env.JWT_SHARED_KEY}
                       # Identity providers
                       enable identity store localdb
                       # Cooke settigs
                       cookie domain flowerhouse.at
                       # Links shown in authentication portal
                       ui {
                               links {
                                       # ICONS: https://icons8.com/line-awesome
                                       "My Identity" "/whoami" icon "las la-user"
                                       "Portal Settings" "/settings" icon "las la-c>
                               }
                       }
                       # Configure how to handle local user
                       transform user {
                               # Check with identity provider "local"
                               match origin local
                               # Add user role
                               action add role authp/user
                               # Force Multi-Factor Authentication
                               require mfa
                       }
               }
               # Create admin policy
               authorization policy admins_policy {
                       set auth url https://auth.flowerhouse.at
                       allow roles authp/admin authp/user
                       crypto key verify {env.JWT_SHARED_KEY}
               }
       }

} </syntaxhighlight>

"lxc/" contains proxy config for every ProxMox LXC, for example:

# =========== LXC 101 - AdGuard ===========
dns.flowerhouse.at {
        # Import security and privacy headers
        import security_header
        import content_policy

        # Use auth portal for security
        authorize with admins_policy

        reverse_proxy http://192.168.88.4:80
}

"vm/" contains proxy config for every ProxMox VM, for example:

# =========== VM 200 - TrueNAS ===========
nas.flowerhouse.at {
        # Import security and privacy headers
        import security_header
        import content_policy

        # Additional content policy
        header Access-Control-Allow-Origin: https://nas.flowerhouse.at https://nas.f>
        header Access-Control-Allow-Methods: GET
        #header Access-Control-Allow-Credentials: true    

        # Use auth portal for security
        authorize with admins_policy

        # WebUI
        reverse_proxy http://192.168.88.5:80
}