Skip to content

Commit

Permalink
Merge pull request #12 from internetarchive/restrictions
Browse files Browse the repository at this point in the history
new env var options to restrict a cluster.  cleaner/simpler `if` -v- `range` usage
  • Loading branch information
traceypooh authored Nov 5, 2024
2 parents 1e89321 + 5941484 commit 80a3f77
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 19 deletions.
3 changes: 3 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ ENV TRUSTED_PROXIES "private_ranges"
ENV FIRST ""
ENV REVERSE_PROXY ""
ENV ON_DEMAND_TLS_ASK ""
ENV HTTP_DISABLED ""
ENV ALLOWED_REMOTE_IPS ""
ENV SELF_MANAGED_CERTS ""
ENV HOST_UNAME Linux

# replaced at runtime:
Expand Down
75 changes: 56 additions & 19 deletions etc/Caddyfile.ctmpl
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
on_demand_tls {
ask {{ env "ON_DEMAND_TLS_ASK" }}
interval 1m
Expand All @@ -19,41 +19,50 @@ http:// {


# start off with nice, easy way(s) to get to nomad

{{ range env "NOMAD_ADDR_EXTRA" | split "," }}
{{- $NAMES_INTO_NOMAD := env "FQDN" }}
{{- $extra := env "NOMAD_ADDR_EXTRA" }}
{{- if ne $extra "" }}
{{ $NAMES_INTO_NOMAD = (print $NAMES_INTO_NOMAD "," $extra) }}
{{- end }}
{{- range $NAMES_INTO_NOMAD | split "," }}
https://{{- . }} {
reverse_proxy localhost:4646
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
tls {
on_demand
}
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}
log
}
{{ end }}


{{ env "FQDN" }} {
reverse_proxy localhost:4646
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
reverse_proxy localhost:4646
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := . }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
{{ end }}


# REVERSE_PROXY section start
{{ range env "REVERSE_PROXY" | split "," -}}
{{- $hosty := . | regexReplaceAll ":[0-9][0-9]+.*$" "" -}}
{{- $port := . | regexReplaceAll "^.*:([0-9][0-9]+).*$" "$1" -}}
{{- if . | regexMatch "^https://" -}}
{{ $hosty }} {
reverse_proxy localhost:{{ $port }}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $hosty }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
Expand All @@ -64,19 +73,28 @@ https://{{- . }} {
{{ else }}
https://{{ $hosty }} {
reverse_proxy localhost:{{ $port }}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $hosty }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}
http://{{ $hosty }} {
{{ if eq (env "HTTP_DISABLED") "true" }}
respond Forbidden 403
{{ else }}
redir https://{host}{uri} permanent
{{ end }}
}
{{ end }}
{{ end }}

# REVERSE_PROXY section end


# NOTE: two styles of possible origins:
Expand Down Expand Up @@ -110,20 +128,38 @@ http://{{ $hosty }} {


{{ $origin }} {
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}

reverse_proxy {{ range $services }} {{ .Address }}:{{ .Port }} {{ end }} {
lb_policy least_conn
trusted_proxies {{ env "TRUSTED_PROXIES" }}
}
{{ range env "ON_DEMAND_TLS_ASK" | split "!" }}
{{ if ne (env "ON_DEMAND_TLS_ASK") "" }}
tls {
on_demand
}
{{ end }}
{{ if ne (env "SELF_MANAGED_CERTS") "" }}
{{ $dom := $origin }}
{{ $dom := $dom | regexReplaceAll "^https*://" "" | regexReplaceAll ":[0-9][0-9]+.*$" "" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*)$" "$1" | regexReplaceAll "^[^.]*[.]([^.]*[.][^.]*[.][^.]*)$" "$1" }}
tls /pv/CERTS/{{ $dom }}.crt /pv/CERTS/{{ $dom }}.key
{{ end }}
log
}

{{- if $origin | regexReplaceAll "^https://" "" | regexMatch ":" }}{{- else }}
http://{{ $origin | regexReplaceAll "^https://" "" }} {
{{ if ne (env "ALLOWED_REMOTE_IPS") "" }}
@blocked not remote_ip {{ env "ALLOWED_REMOTE_IPS" }}
respond @blocked Forbidden 403
{{ end }}

{{ if eq (env "HTTP_DISABLED") "true" }}
respond Forbidden 403
{{ else }}
@hsts-on {
not {
header_regexp X-HSTS "off"
Expand All @@ -135,6 +171,7 @@ http://{{ $origin | regexReplaceAll "^https://" "" }} {
lb_policy least_conn
}
log
{{ end }}
}
{{- end -}}
{{- end -}}
Expand Down

0 comments on commit 80a3f77

Please sign in to comment.