diff --git a/.env b/.env index fb39cb9..a0cd82a 100644 --- a/.env +++ b/.env @@ -1,7 +1,6 @@ # Cloudflare (создайте Scoped API Token c правами Zone:Read + DNS:Edit # для зоны nothing.help — не используйте глобальный API‑ключ!) CF_API_TOKEN=jRq98TKXi2rYYtG42x9w1M8EOElt5V5BOkA4TBoY +CADDY_INGRESS_NETWORKS=proxy +JWT=pzq7ywjyp663i5444nugdi5hgpzjd5rr -# Пользователи для авторизации описываются в файле users.json -# рядом с docker-compose.yml. Хэши паролей можно получить -# командой `caddy hash-password --plaintext "пароль"`. diff --git a/Caddyfile b/Caddyfile index ad8cc65..21c5565 100644 --- a/Caddyfile +++ b/Caddyfile @@ -3,7 +3,7 @@ acme_dns cloudflare {$CF_API_TOKEN} order authenticate before respond - order authorize before reverse_proxy + order authorize before basicauth servers { trusted_proxies static private_ranges @@ -17,6 +17,7 @@ authentication portal authportal { crypto default token lifetime {$AUTH_TOKEN_LIFETIME:43200} + crypto key sign-verify {$JWT} enable identity store localdb cookie domain realy.nothing.help @@ -25,30 +26,34 @@ ui { links { - "Portainer" "https://port.realy.nothing.help" icon "las la-tachometer-alt" - "WhoAmI" "/whoami" icon "las la-user" + "Portainer" "https://port.realy.nothing.help" icon "las la-tachometer-alt" + "My Identity" "/auth/whoami" icon "las la-id-badge" + "My Profile" "/auth/profile/" icon "las la-user" } } transform user { match origin local - action add role admin + action add role authp/admin # require mfa } } authorization policy apikey_or_admin { set auth url https://auth.realy.nothing.help - allow roles admin + allow roles authp/admin authp/user + crypto key verify {$JWT} + + with basic auth portal authportal realm local with api key auth portal authportal realm local acl rule { - comment "Accept" - match role admin - allow stop log info + comment allow users + match role authp/user + allow stop log info } acl rule { - comment "Deny" + comment default deny match any deny log warn } diff --git a/docker-compose.yml b/docker-compose.yml index b0a06fd..6d72261 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,9 +9,10 @@ services: - "80:80" - "443:443" - "443:443/udp" - environment: - - CADDY_INGRESS_NETWORKS=proxy - - CF_API_TOKEN=${CF_API_TOKEN} + env_file: + - .env + #environment: + #- CF_API_TOKEN=${CF_API_TOKEN} volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - caddy_data:/data diff --git a/users.json b/users.json index 800c99b..f856ae4 100644 --- a/users.json +++ b/users.json @@ -1,5 +1,5 @@ { - "version": "1.1.2", + "version": "1.1.7", "policy": { "password": { "keep_versions": 10, @@ -19,8 +19,8 @@ "allow_uppercase": false } }, - "revision": 2, - "last_modified": "2021-10-25T13:04:58.482997492-04:00", + "revision": 7, + "last_modified": "2025-08-28T19:12:55.534658844Z", "users": [ { "id": "39555452-454e-4c85-829b-8195a8dd8c81", @@ -46,12 +46,29 @@ "disabled_at": "0001-01-01T00:00:00Z" } ], + "api_keys": [ + { + "id": "yvLkKTyFMu6n1q3YAG0np5W5hcCIFWoyfQPciHkh", + "prefix": "NuRZm4NXKfmDTyVo7XWbwZeM", + "usage": "api", + "comment": "test", + "payload": "$2a$10$DZVydqhmY8Df4HHYRUQpJOmT2hTd.A3nAGIcI/tp19RbnO6vyUf62", + "expired_at": "0001-01-01T00:00:00Z", + "created_at": "2025-08-28T19:12:55.534650459Z", + "disabled_at": "0001-01-01T00:00:00Z" + } + ], "created": "2021-10-25T17:04:58.42512588Z", - "last_modified": "2021-10-25T17:04:58.42512594Z", + "last_modified": "2025-08-28T19:12:55.534654817Z", + "revision": 5, "roles": [ { "name": "admin", "organization": "authp" + }, + { + "name": "user", + "organization": "authp" } ] }