From 0b181c5cf5ac034d86410e8e6ba4e2f33e0de6cc Mon Sep 17 00:00:00 2001 From: Tracey Jaquith Date: Thu, 9 Jan 2025 01:05:42 -0800 Subject: [PATCH] allow access restrictions 3 different ways. we can now block/limit everything, but still get automatic https certs --- Dockerfile | 6 ++--- etc/Caddyfile.ctmpl | 55 +++++++-------------------------------------- 2 files changed, 11 insertions(+), 50 deletions(-) diff --git a/Dockerfile b/Dockerfile index 79e896f..a9161cf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,9 +10,9 @@ ENV TRUSTED_PROXIES "private_ranges" ENV FIRST "" ENV REVERSE_PROXY "" ENV ON_DEMAND_TLS_ASK "" -ENV HTTP_DISABLED "" -ENV ALLOWED_REMOTE_IPS "" -ENV SELF_MANAGED_CERTS "" +ENV ALLOWED_REMOTE_IPS_CONTROL_PLANE "" +ENV ALLOWED_REMOTE_IPS_SERVICES "" +ENV ALLOWED_REMOTE_IPS_HTTP "333.333.333.333" ENV HOST_UNAME Linux # replaced at runtime: diff --git a/etc/Caddyfile.ctmpl b/etc/Caddyfile.ctmpl index 36c2fdf..c8c9531 100644 --- a/etc/Caddyfile.ctmpl +++ b/etc/Caddyfile.ctmpl @@ -26,8 +26,8 @@ http:// { {{- end }} {{- range $NAMES_INTO_NOMAD | split "," }} https://{{- . }} { - {{ if ne (env "ALLOWED_REMOTE_IPS") "" }} - @blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }} + {{ if ne (env "ALLOWED_REMOTE_IPS_CONTROL_PLANE") "" }} + @blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS_CONTROL_PLANE" }} respond @blocked Forbidden 403 {{ end }} @@ -36,11 +36,6 @@ https://{{- . }} { tls { on_demand } - {{ end }} - {{ if ne (env "SELF_MANAGED_CERTS") "" }} - {{ $dom := . }} - {{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }} - tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key {{ end }} log } @@ -58,11 +53,6 @@ https://{{- . }} { tls { on_demand } - {{ end }} - {{ if ne (env "SELF_MANAGED_CERTS") "" }} - {{ $dom := $hosty }} - {{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }} - tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key {{ end }} log } @@ -77,20 +67,8 @@ https://{{ $hosty }} { tls { on_demand } - {{ end }} - {{ if ne (env "SELF_MANAGED_CERTS") "" }} - {{ $dom := $hosty }} - {{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }} - tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key {{ end }} log -} -http://{{ $hosty }} { - {{ if eq (env "HTTP_DISABLED") "true" }} - respond Forbidden 403 - {{ else }} - redir https://{host}{uri} permanent - {{ end }} } {{ end }} {{ end }} @@ -102,10 +80,6 @@ http://{{ $hosty }} { # https://av.dev.archive.org:5432 # NOTE: `trusted_proxies` is for `X-Forwarded-Host` header from something like nginx `proxy_pass`. -# NOTE: `@hsts-on` allows for requests coming in over http:// from something like nginx `proxy_pass` -# to tell us *not* to add HSTS header to tell browser to only use https not http. -# NOTE: only apply HSTS to http:// variants of hostnames of origins passed in starting with 'https://' - {{ range services -}} {{ range $tag, $services := service .Name|byTag -}} {{- $service_name := (index $services 0).Name}} @@ -128,8 +102,8 @@ http://{{ $hosty }} { {{- $origin }} { - {{ if ne (env "ALLOWED_REMOTE_IPS") "" }} - @blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }} + {{ if ne (env "ALLOWED_REMOTE_IPS_SERVICES") "" }} + @blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS_SERVICES" }} respond @blocked Forbidden 403 {{ end }} @@ -141,34 +115,21 @@ http://{{ $hosty }} { tls { on_demand } - {{ end }} - {{ if ne (env "SELF_MANAGED_CERTS") "" }} - {{ $dom := $origin }} - {{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }} - tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key {{ end }} log } {{- if $origin | regexReplaceAll "^https://" "" | regexMatch ":" }}{{- else }} http://{{ $origin | regexReplaceAll "^https://" "" }} { - {{ if ne (env "ALLOWED_REMOTE_IPS") "" }} - @blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }} - respond @blocked Forbidden 403 + {{ if ne (env "ALLOWED_REMOTE_IPS_HTTP") "" }} + @redir not remote_ip {{ env "ALLOWED_REMOTE_IPS_HTTP" }} + redir @redir https://{host}{uri} permanent {{ end }} - {{ if eq (env "HTTP_DISABLED") "true" }} - respond Forbidden 403 - {{ else }} - @hsts-on { - not { - header_regexp X-HSTS "off" - } - } - header @hsts-on Strict-Transport-Security max-age=15724800 reverse_proxy {{ range $services }} {{ .Address }}:{{ .Port }} {{ end }} { lb_policy least_conn + trusted_proxies {{ env "TRUSTED_PROXIES" }} } log {{ end }}