mirror of
https://github.com/deadcxap/init_scripts.git
synced 2026-07-02 05:43:40 +03:00
86 lines
1.9 KiB
Caddyfile
86 lines
1.9 KiB
Caddyfile
{
|
|
email dead@cxap.space
|
|
acme_dns cloudflare {$CF_API_TOKEN}
|
|
|
|
order authenticate before respond
|
|
order authorize before basicauth
|
|
|
|
servers {
|
|
trusted_proxies static private_ranges
|
|
}
|
|
|
|
security {
|
|
local identity store localdb {
|
|
realm local
|
|
path /data/users.json
|
|
}
|
|
|
|
authentication portal authportal {
|
|
crypto default token lifetime {$AUTH_TOKEN_LIFETIME:43200}
|
|
crypto key sign-verify {$JWT}
|
|
enable identity store localdb
|
|
|
|
cookie domain realy.nothing.help
|
|
cookie lifetime {$AUTH_COOKIE_LIFETIME:43200}
|
|
cookie samesite lax
|
|
|
|
ui {
|
|
links {
|
|
"Portainer" "https://port.realy.nothing.help" icon "las la-tachometer-alt"
|
|
"My Identity" "/auth/whoami" icon "las la-id-badge"
|
|
"My Profile" "/auth/profile/" icon "las la-user"
|
|
}
|
|
}
|
|
|
|
transform user {
|
|
match origin local
|
|
action add role authp/admin
|
|
# require mfa
|
|
}
|
|
}
|
|
|
|
authorization policy apikey_or_admin {
|
|
set auth url https://auth.realy.nothing.help
|
|
allow roles authp/admin authp/user
|
|
crypto key verify {$JWT}
|
|
|
|
with basic auth portal authportal realm local
|
|
with api key auth portal authportal realm local
|
|
|
|
acl rule {
|
|
comment allow users
|
|
match role authp/user
|
|
allow stop log info
|
|
}
|
|
acl rule {
|
|
comment default deny
|
|
match any
|
|
deny log warn
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
(auth_forward) {
|
|
authorize with apikey_or_admin {
|
|
set auth url https://auth.realy.nothing.help
|
|
inject headers with claims
|
|
}
|
|
}
|
|
|
|
auth.realy.nothing.help {
|
|
route {
|
|
authenticate with authportal
|
|
}
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "DENY"
|
|
Referrer-Policy "no-referrer"
|
|
}
|
|
}
|
|
|
|
*.realy.nothing.help {
|
|
respond / "ok"
|
|
} |