diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c49bd7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env diff --git a/Dockerfile b/Dockerfile index c462547..3d69579 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,23 @@ -FROM caddy/caddy:2.9.1-builder-alpine AS builder +# Adapted from: https://github.com/crowdsecurity/example-docker-compose/blob/main/caddy/Caddyfile +# +# the different stages of this Dockerfile are meant to be built into separate images +# https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage +# https://docs.docker.com/compose/compose-file/#target + +# https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact +ARG CADDY_VERSION=2 + +FROM caddy:${CADDY_VERSION}-builder-alpine AS builder RUN xcaddy build \ - --with github.com/caddy-dns/cloudflare + --with github.com/caddy-dns/cloudflare \ + --with github.com/mholt/caddy-l4 \ + --with github.com/caddyserver/transform-encoder \ + --with github.com/hslatman/caddy-crowdsec-bouncer/http@main \ + --with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main -# ================================================== -# Run image -# ================================================== +FROM caddy:${CADDY_VERSION} AS caddy -#FROM ghcr.io/authcrunch/authcrunch:latest -FROM caddy/caddy:2.9.1-alpine +WORKDIR / COPY --from=builder /usr/bin/caddy /usr/bin/caddy -COPY ./config /etc/caddy - -RUN /usr/bin/caddy fmt --overwrite /etc/caddy/Caddyfile - -CMD ["/usr/bin/caddy", "run", "--config", "/etc/caddy/Caddyfile"] diff --git a/compose.yaml b/compose.yaml index 3b8ed65..825d870 100644 --- a/compose.yaml +++ b/compose.yaml @@ -2,6 +2,7 @@ services: caddy: build: context: . + target: caddy container_name: caddy restart: unless-stopped env_file: @@ -10,6 +11,7 @@ services: - CLOUDFLARE_EMAIL=${CF_EMAIL} - CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN} - ACME_AGREE=true + - CROWDSEC_API_KEY=${CROWDSEC_API_KEY} ports: - 80:80 - 443:443 @@ -20,6 +22,24 @@ services: - ./config:/etc/caddy - caddy_data:/data - caddy_config:/config + - caddy_logs:/var/log/caddy + networks: + - proxy + security_opt: + - no-new-privileges:true + + crowdsec: + image: docker.io/crowdsecurity/crowdsec:latest + container_name: crowdsec + restart: unless-stopped + environment: + - GID=1000 + - COLLECTIONS="crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelisth-good-actors" + - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY} + volumes: + - crowdsec_db:/var/lib/crowdsec/data/ + - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml + - caddy_logs:/var/log/caddy:ro networks: - proxy security_opt: @@ -28,6 +48,8 @@ services: volumes: caddy_data: {} caddy_config: {} + caddy_logs: {} + crowdsec_db: {} networks: proxy: diff --git a/config/Caddyfile b/config/Caddyfile index 5a7c77e..2e81c4d 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -1,5 +1,15 @@ { email {env.ACME_EMAIL} + servers { + client_ip_headers X-Forwarded-For + trusted_proxies static private_ranges + trusted_proxies_strict + } + order crowdsec before respond + crowdsec { + api_url http://crowdsec:8080 + api_key {$CROWDSEC_API_KEY} + } } # Subdomains @@ -9,39 +19,51 @@ resolvers 1.1.1.1 } + log { + level INFO + output file /var/log/caddy/access.log + } + @pos host po.housh.dev handle @pos { reverse_proxy http://roguemini.housh.dev:8082 + crowdsec } @legacypos host legacy-po.housh.dev handle @legacypos { reverse_proxy http://roguemini.housh.dev:5000 + crowdsec } @gitea host git.housh.dev handle @gitea { reverse_proxy gitea:3000 + crowdsec } @dash host dash.housh.dev handle @dash { reverse_proxy http://roguemini.housh.dev:7575 + crowdsec } @komodo host komo.housh.dev handle @komodo { reverse_proxy komodo:9120 + crowdsec } @excalidraw host draw.housh.dev handle @excalidraw { reverse_proxy excalidraw:80 + crowdsec } @uptimekuma host uptime.housh.dev handle @uptimekuma { reverse_proxy uptime_kuma:3001 + crowdsec } @immich host photos.housh.dev @@ -51,41 +73,49 @@ @public path /share /share/* handle @public { reverse_proxy http://frankenmini.housh.dev:3000 + crowdsec } handle { reverse_proxy http://frankenmini.housh.dev:2283 + crowdsec } } @snapp host s.housh.dev handle @snapp { reverse_proxy http://roguemini.housh.dev:3000 + crowdsec } @docs host docs.housh.dev handle @docs { reverse_proxy docs:80 + crowdsec } @pocket_id host id.housh.dev handle @pocket_id { reverse_proxy pocket-id:1411 + crowdsec } @plausible host plausible.housh.dev handle @plausible { reverse_proxy http://roguemini.housh.dev:8004 + crowdsec } @vaultwarden host vaultwarden.housh.dev handle @vaultwarden { reverse_proxy http://roguemini.housh.dev:8888 + crowdsec } @calendar host calendar.housh.dev handle @calendar { - reverse_proxy http://frankenmini.housh.dev:5232 + reverse_proxy http://frankenmini.housh.dev:5232 + crowdsec } @@ -98,19 +128,16 @@ console.mightymini.housh.dev { resolvers 1.1.1.1 } + log { + level INFO + output file /var/log/caddy/access.log + } + reverse_proxy https://192.168.50.6:9090 { transport http { tls_insecure_skip_verify } + crowdsec } } -# Duplicati (backup service). -duplicati.mightymini.housh.dev { - tls { - dns cloudflare {env.CF_AUTH_TOKEN} - resolvers 1.1.1.1 - } - - reverse_proxy http://duplicati:8200 -} diff --git a/crowdsec/acquis.yaml b/crowdsec/acquis.yaml new file mode 100644 index 0000000..91c9d1d --- /dev/null +++ b/crowdsec/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/caddy/*.log +labels: + type: caddy diff --git a/example.env b/example.env index a34b75b..7adbd9d 100644 --- a/example.env +++ b/example.env @@ -1,3 +1,4 @@ ACME_EMAIL="acme@example.com" CF_AUTH_TOKEN="secret-token" CF_EMAIL="cloudflare@example.com" +CROWDSEC_API_KEY="CHANGEME"