From bce4a0ba8fa8e5cc4dc33736b3629a9392740643 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Wed, 11 Dec 2024 15:35:57 +0100 Subject: [PATCH 1/3] improve caddy --- .editorconfig | 9 +++++++ proxy/Caddyfile | 49 ++++++++++++++++++++++----------------- proxy/docker-compose.yaml | 2 ++ 3 files changed, 39 insertions(+), 21 deletions(-) diff --git a/.editorconfig b/.editorconfig index b7a329e..8237425 100644 --- a/.editorconfig +++ b/.editorconfig @@ -22,3 +22,12 @@ end_of_line = lf indent_style = space indent_size = 4 tab_width = 4 + +[Caddyfile] +indent_style = tab +indent_size = 4 +tab_width = 4 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true diff --git a/proxy/Caddyfile b/proxy/Caddyfile index fcc0f48..7352500 100644 --- a/proxy/Caddyfile +++ b/proxy/Caddyfile @@ -1,44 +1,51 @@ { - auto_https off + auto_https off + log default { + output stdout + format console + } } -http://whoami.lan { - reverse_proxy whoami:80 +http://whoami.{$DOMAIN} { + reverse_proxy whoami:80 } -http://dashboard.lan { - reverse_proxy homer:8080 +http://dashboard.{$DOMAIN} { + reverse_proxy homer:8080 } -http://hassi.lan { -# reverse_proxy homeassistant:8123 - reverse_proxy dockerhost-1.lan:8123 +http://hassi.{$DOMAIN} { + # reverse_proxy homeassistant:8123 + reverse_proxy {host}:8123 } -http://zigbee2mqtt.lan { - reverse_proxy zigbee2mqtt:8080 +http://zigbee2mqtt.{$DOMAIN} { + reverse_proxy zigbee2mqtt:8080 } -http://jellyfin.lan { - reverse_proxy jellyfin:8096 +http://jellyfin.{$DOMAIN} { + reverse_proxy jellyfin:8096 } -http://paperless.lan { - reverse_proxy paperless-ngx:8000 +http://paperless.{$DOMAIN} { + reverse_proxy paperless-ngx:8000 } -http://download.lan { - reverse_proxy pyload:8000 +http://download.{$DOMAIN} { + reverse_proxy pyload:8000 } -http://uptime.lan { - reverse_proxy uptime-kuma:3001 +http://uptime.{$DOMAIN} { + reverse_proxy uptime-kuma:3001 } -http://torrent.lan { - reverse_proxy transmission:9091 +http://torrent.{$DOMAIN} { + reverse_proxy transmission:9091 } :80, :443 { - respond 404 + respond "404 Not Found" 404 + handle_errors { + respond "{err.status_code} {err.status_text}" {err.status_code} + } } diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index b9e91d5..1a53113 100644 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -11,6 +11,8 @@ services: - ./Caddyfile:/etc/caddy/Caddyfile:ro networks: - web + environment: + - DOMAIN=${DOMAIN} whoami: From fc86424caa7abdfe82021bd3f853554acc076f1f Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 10 Feb 2025 18:32:09 +0100 Subject: [PATCH 2/3] improvements --- paperless/docker-compose.yaml | 5 ++++- torrent/docker-compose.yaml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/paperless/docker-compose.yaml b/paperless/docker-compose.yaml index 6c30a30..20b0079 100644 --- a/paperless/docker-compose.yaml +++ b/paperless/docker-compose.yaml @@ -53,11 +53,13 @@ services: - PAPERLESS_OCR_LANGUAGES=deu eng - PAPERLESS_URL=http://paperless.${DOMAIN} - PAPERLESS_OCR_LANGUAGE=deu - - PAPERLESS_FILENAME_FORMAT={correspondent}/{created} {title} + #- PAPERLESS_FILENAME_FORMAT={correspondent}/{created} {title} + - PAPERLESS_FILENAME_FORMAT={{ correspondent }}/{{ created }} {{ title }} - PAPERLESS_CONSUMER_POLLING=60 - USERMAP_UID=1000 - USERMAP_GID=1000 - PAPERLESS_PRE_CONSUME_SCRIPT=/usr/src/paperless/scripts/removePdfPassword.py + - PAPERLESS_OCR_USER_ARGS=${USER_ARGS_JSON} labels: - "docker.group=paperless" @@ -66,3 +68,4 @@ networks: paperless: web: external: true + diff --git a/torrent/docker-compose.yaml b/torrent/docker-compose.yaml index 6331459..f5b6923 100644 --- a/torrent/docker-compose.yaml +++ b/torrent/docker-compose.yaml @@ -13,7 +13,7 @@ services: networks: - web ports: -# - 9091:9091 + - 9091:9091 - 51413:51413 - 51413:51413/udp restart: unless-stopped From e2666bdfadc8a0eaa2365e6e8b24e05332db7928 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Fri, 14 Mar 2025 13:45:01 +0100 Subject: [PATCH 3/3] enable https with caddy root ca --- proxy/Caddyfile | 117 +++++++++++++++++++++++++------------- proxy/docker-compose.yaml | 6 ++ proxy/web/default.css | 13 +++++ proxy/web/index.html | 72 +++++++++++++++++++++++ 4 files changed, 167 insertions(+), 41 deletions(-) create mode 100644 proxy/web/default.css create mode 100644 proxy/web/index.html diff --git a/proxy/Caddyfile b/proxy/Caddyfile index 7352500..c155caf 100644 --- a/proxy/Caddyfile +++ b/proxy/Caddyfile @@ -1,51 +1,86 @@ { - auto_https off + auto_https disable_redirects + local_certs + pki { + ca local { + name "{$LOCAL_CA_NAME}" + } + } log default { output stdout format console } } -http://whoami.{$DOMAIN} { - reverse_proxy whoami:80 -} - -http://dashboard.{$DOMAIN} { - reverse_proxy homer:8080 -} - -http://hassi.{$DOMAIN} { - # reverse_proxy homeassistant:8123 - reverse_proxy {host}:8123 -} - -http://zigbee2mqtt.{$DOMAIN} { - reverse_proxy zigbee2mqtt:8080 -} - -http://jellyfin.{$DOMAIN} { - reverse_proxy jellyfin:8096 -} - -http://paperless.{$DOMAIN} { - reverse_proxy paperless-ngx:8000 -} - -http://download.{$DOMAIN} { - reverse_proxy pyload:8000 -} - -http://uptime.{$DOMAIN} { - reverse_proxy uptime-kuma:3001 -} - -http://torrent.{$DOMAIN} { - reverse_proxy transmission:9091 -} - -:80, :443 { - respond "404 Not Found" 404 +(errorhandler) { handle_errors { - respond "{err.status_code} {err.status_text}" {err.status_code} + root * /usr/share/caddy/web + rewrite * /error.html + templates + file_server { + status {err.status_code} + } } } + +(localtls) { + tls internal +} + +whoami.{$DOMAIN} http://whoami.{$DOMAIN} { + reverse_proxy whoami:80 + import errorhandler +} + +dashboard.{$DOMAIN} http://dashboard.{$DOMAIN} { + reverse_proxy homer:8080 + import errorhandler +} + +hassi.{$DOMAIN} http://hassi.{$DOMAIN} { + # reverse_proxy homeassistant:8123 + reverse_proxy {host}:8123 + import errorhandler +} + +zigbee2mqtt.{$DOMAIN} http://zigbee2mqtt.{$DOMAIN} { + reverse_proxy zigbee2mqtt:8080 + import errorhandler +} + +jellyfin.{$DOMAIN} http://jellyfin.{$DOMAIN} { + reverse_proxy jellyfin:8096 + import errorhandler +} + +paperless.{$DOMAIN} http://paperless.{$DOMAIN} { + reverse_proxy paperless-ngx:8000 + import errorhandler +} + +download.{$DOMAIN} http://download.{$DOMAIN} { + reverse_proxy pyload:8000 + import errorhandler +} + +uptime.{$DOMAIN} http://uptime.{$DOMAIN} { + reverse_proxy uptime-kuma:3001 + import errorhandler +} + +torrent.{$DOMAIN} http://torrent.{$DOMAIN} { + reverse_proxy transmission:9091 + import errorhandler +} + +root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} { + file_server * { + root /usr/share/caddy/web + hide .git Readme.md + } + file_server /root.crt { + root /data/caddy/pki/authorities/local/ + hide *.key + } + import errorhandler +} diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index 1a53113..2870b0b 100644 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -5,14 +5,20 @@ services: restart: unless-stopped ports: - 80:80 + - 443:443 + - "443:443/udp" volumes: - ${VOLUMES_PATH}/proxy/caddy/data:/data - ${VOLUMES_PATH}/proxy/caddy/config:/config - ./Caddyfile:/etc/caddy/Caddyfile:ro + - ./web:/usr/share/caddy/web:ro networks: - web environment: - DOMAIN=${DOMAIN} + - LOCAL_CA_NAME=${LOCAL_CA_NAME} + cap_add: + - cap_net_bind_service whoami: diff --git a/proxy/web/default.css b/proxy/web/default.css new file mode 100644 index 0000000..a4c1d6d --- /dev/null +++ b/proxy/web/default.css @@ -0,0 +1,13 @@ +:root { + max-width: 80ch; + padding: 3em 1em; + margin: auto; + font-size: 1.25em; + font-family: Arial, Helvetica, sans-serif; +} + +footer { + position: absolute; + bottom: 0; + height: 50px; +} diff --git a/proxy/web/index.html b/proxy/web/index.html new file mode 100644 index 0000000..76a3485 --- /dev/null +++ b/proxy/web/index.html @@ -0,0 +1,72 @@ +” + + + + + Containerize Root-CA + + + + + +

Containerize Root-CA

+ +

+ Caddy dient als lokale Zertifizierungsstelle (CA) um eigene lokale Zertifikate zu signieren. + Details siehe Caddy Doku. +

+ +

+ Führe folgendes aus: +

    +
  1. + Klicken sie hier um das CA-Zertifikat von Caddy herunter + zu laden.
    +
    2. + +
  2. + Installiere das caddy-root-ca.crt in den Windwos Truststore.
    + Öffne die Datei mit Doppelklick und drücke "Zertifikat installieren".
    + Wähle "Aktueller Benutzer" und den Zertifikatspeicher "Vertrauenswürdige Stammzertifizierungsstellen" +
    3. + +
  3. + Installiere das caddy-root-ca.crt manuell in deinen Browser. Chrome benutzt den Zertifikatsspeicher vom + Betriebsystem. +
    4. + +
  4. + Um das CA-Certifikat in den Linux-Truststore zu installieren führen Sie folgende Befehle aus: + 
    curl -o caddy-root-ca.crt http://example.lan/root.crt
+sudo mkdir -p /usr/local/share/ca-certificates/extra
+sudo cp caddy-root-ca.crt /usr/local/share/ca-certificates/extra/
+sudo update-ca-certificates
+         
+
    + +
    5. +
  5. + Fertig. + Wechsle jetzt zu https + + . +
    6. + +
+

+ + + + + +