2023-07-17 22:36:06 +05:30
|
|
|
# ---Apps Caddyfile---
|
|
|
|
|
|
|
|
# Akkoma
|
|
|
|
social.projectsegfau.lt {
|
|
|
|
import def
|
|
|
|
encode gzip
|
|
|
|
|
|
|
|
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
|
|
|
# and `localhost.` resolves to [::0] on some systems: see issue #930
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:4011
|
2023-07-17 22:36:06 +05:30
|
|
|
|
|
|
|
handle /media/* {
|
|
|
|
redir https://media.social.projectsegfau.lt{uri} permanent
|
|
|
|
}
|
|
|
|
handle /proxy/* {
|
|
|
|
redir https://media.social.projectsegfau.lt{uri} permanent
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Security mitigation
|
|
|
|
# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
|
|
|
|
# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
|
|
|
|
# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
|
|
|
|
media.social.projectsegfau.lt {
|
2023-07-20 14:24:04 +05:30
|
|
|
handle /media/* {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:4011 {
|
2023-07-20 14:24:04 +05:30
|
|
|
transport http {
|
|
|
|
response_header_timeout 10s
|
|
|
|
read_timeout 15s
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-07-17 22:36:06 +05:30
|
|
|
|
2023-07-20 14:24:04 +05:30
|
|
|
handle /proxy/* {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:4011 {
|
2023-07-20 14:24:04 +05:30
|
|
|
transport http {
|
|
|
|
response_header_timeout 10s
|
|
|
|
read_timeout 15s
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
# Cinny
|
|
|
|
cinny.projectsegfau.lt cy.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3069
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
}
|
|
|
|
|
|
|
|
# Website
|
|
|
|
projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :1337
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_matrix/* 192.168.1.64:8449 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_matrix/client/* 192.168.1.64:81 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_synapse/* 192.168.1.64:81 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /.well-known/acme-challenge/* 192.168.1.64:5380
|
|
|
|
reverse_proxy /converse 192.168.1.64:5280
|
|
|
|
reverse_proxy /converseemojis.js 192.168.1.64:5280
|
|
|
|
reverse_proxy /converse/* 192.168.1.64:5280
|
|
|
|
reverse_proxy /bosh 192.168.1.64:5280
|
|
|
|
reverse_proxy /ws 192.168.1.64:5280
|
2023-07-17 22:36:06 +05:30
|
|
|
header /.well-known/matrix/* Content-Type application/json
|
|
|
|
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
|
|
|
handle_path /.well-known/* {
|
|
|
|
root * /var/www/well-known
|
|
|
|
file_server
|
|
|
|
}
|
|
|
|
header /.well-known/host-meta Content-Type application/xrd+xml
|
|
|
|
header /.well-known/host-meta.json Content-Type application/json
|
|
|
|
header /.well-known/host-meta.json Access-Control-Allow-Origin *
|
|
|
|
header /.well-known/host-meta Access-Control-Allow-Origin *
|
|
|
|
import torloc www
|
|
|
|
}
|
|
|
|
psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :1337
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
import torloc www
|
2023-09-14 14:42:16 +05:30
|
|
|
import acmedns
|
|
|
|
header /.well-known/matrix/* Content-Type application/json
|
|
|
|
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
|
|
|
handle_path /.well-known/* {
|
|
|
|
root * /var/www/psf-well-known
|
|
|
|
file_server
|
|
|
|
}
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
ssync.projectsegfau.lt {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:3333
|
2023-07-19 20:13:18 +05:30
|
|
|
import def
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
www.projectsegfau.lt www.psf.lt {
|
|
|
|
redir https://projectsegfau.lt{uri}
|
|
|
|
import torloc www
|
|
|
|
}
|
|
|
|
|
|
|
|
matrix.projectsegfau.lt {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_matrix/* 192.168.1.64:8449 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_matrix/client/* 192.168.1.64:81 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /_synapse/* 192.168.1.64:81 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "matrix.projectsegfau.lt"
|
|
|
|
}
|
2023-07-19 20:13:18 +05:30
|
|
|
import def
|
2023-09-15 17:29:33 +05:30
|
|
|
#reverse_proxy /_synapse/client/* 192.168.1.64:81 {
|
2023-07-17 22:36:06 +05:30
|
|
|
# header_up Host "matrix.projectsegfau.lt"
|
|
|
|
#}
|
|
|
|
handle_path / {
|
|
|
|
redir https://wiki.projectsegfau.lt/Matrix
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Element
|
|
|
|
chat.projectsegfau.lt el.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3070
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
}
|
|
|
|
|
|
|
|
# Gitea
|
|
|
|
git.projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3444
|
2023-07-17 22:36:06 +05:30
|
|
|
respond /metrics 403
|
|
|
|
import def
|
|
|
|
request_body {
|
|
|
|
max_size 500MB
|
|
|
|
}
|
|
|
|
header {
|
|
|
|
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
|
|
|
|
}
|
|
|
|
import torloc git
|
|
|
|
}
|
|
|
|
git.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3444 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up Host "git.projectsegfau.lt"
|
|
|
|
}
|
|
|
|
respond /metrics 403
|
|
|
|
import def
|
|
|
|
request_body {
|
|
|
|
max_size 500MB
|
|
|
|
}
|
|
|
|
header {
|
|
|
|
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
|
|
|
|
}
|
|
|
|
import torloc git
|
|
|
|
}
|
|
|
|
# HedgeDoc
|
|
|
|
doc.projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :2069 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import def
|
|
|
|
}
|
|
|
|
|
|
|
|
# Hydrogen
|
|
|
|
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3071
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
}
|
|
|
|
|
|
|
|
# Jitsi
|
|
|
|
jitsi.projectsegfau.lt {
|
2023-09-15 23:01:20 +05:30
|
|
|
reverse_proxy 192.168.1.64:8000 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# Excalidraw backend for jitsi
|
|
|
|
excalidraw.projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :8694
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
# Maubot
|
|
|
|
mau.projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :29316
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
}
|
|
|
|
|
|
|
|
# MediaWiki
|
|
|
|
wiki.projectsegfau.lt w.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy 10.0.3.39:80 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import def
|
|
|
|
encode gzip
|
|
|
|
import torloc wiki
|
|
|
|
}
|
|
|
|
|
|
|
|
# Vikunja
|
|
|
|
todo.projectsegfau.lt vi.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3456
|
2023-07-17 22:36:06 +05:30
|
|
|
import def
|
|
|
|
import torloc todo
|
|
|
|
}
|
|
|
|
|
|
|
|
# Vaultwarden
|
|
|
|
pass.projectsegfau.lt vw.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :6980 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import def
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy /notifications/hub :3012 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import torloc pass
|
|
|
|
}
|
|
|
|
|
|
|
|
# XMPP
|
|
|
|
xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:5280 {
|
2023-07-17 22:36:06 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy /.well-known/acme-challenge/* 192.168.1.64:5380
|
2023-07-17 22:36:06 +05:30
|
|
|
@register {
|
|
|
|
path /new/
|
|
|
|
path /change_password/
|
|
|
|
path /delete/
|
|
|
|
path /new
|
|
|
|
path /change_password
|
|
|
|
path /delete
|
|
|
|
}
|
|
|
|
redir @register /register{uri}
|
|
|
|
import def
|
|
|
|
header /.well-known/host-meta Content-Type application/xrd+xml
|
|
|
|
header /.well-known/host-meta.json Content-Type application/json
|
|
|
|
header /.well-known/host-meta.json Access-Control-Allow-Origin *
|
|
|
|
header /.well-known/host-meta Access-Control-Allow-Origin *
|
|
|
|
handle_path /.well-known/* {
|
|
|
|
root * /var/www/well-known
|
|
|
|
file_server
|
|
|
|
}
|
|
|
|
handle_path / {
|
|
|
|
redir https://wiki.projectsegfau.lt/XMPP
|
|
|
|
}
|
|
|
|
}
|
|
|
|
xmpp-web.projectsegfau.lt, x.psf.lt {
|
|
|
|
import def
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :3072
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
healthchecks.projectsegfau.lt, hc.psf.lt {
|
|
|
|
import def
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :8450
|
2023-08-09 16:57:50 +05:30
|
|
|
import torloc healthchecks
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
# Pubthentik
|
|
|
|
auth.p.projectsegfau.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :7444 {
|
2023-07-17 22:36:06 +05:30
|
|
|
transport http {
|
|
|
|
tls_insecure_skip_verify
|
|
|
|
}
|
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import def
|
|
|
|
}
|
|
|
|
# kbin
|
|
|
|
kbin.projectsegfau.lt, kb.psf.lt {
|
2023-09-15 17:29:33 +05:30
|
|
|
reverse_proxy 192.168.1.64:8014 {
|
2023-07-29 15:09:14 +05:30
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
}
|
|
|
|
import def
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
2023-09-15 22:50:41 +05:30
|
|
|
|
|
|
|
piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt {
|
|
|
|
reverse_proxy 192.168.1.64:6970
|
|
|
|
header {
|
|
|
|
# disable FLoC tracking
|
|
|
|
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
|
|
|
|
|
|
|
|
# enable HSTS
|
|
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# disable clients from sniffing the media type
|
|
|
|
X-Content-Type-Options nosniff
|
|
|
|
|
|
|
|
# keep referrer data off of HTTP connections
|
|
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
|
|
|
|
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
defer
|
|
|
|
}
|
|
|
|
@badbots {
|
|
|
|
header "User-Agent" "Go-http-client/2.0"
|
|
|
|
}
|
|
|
|
respond @badbots "Access to this route denied" 403
|
|
|
|
import acmedns
|
|
|
|
}
|
|
|
|
pi.psf.lt {
|
|
|
|
reverse_proxy 192.168.1.64:6970 {
|
|
|
|
header_up Host "piped.projectsegfau.lt"
|
|
|
|
}
|
|
|
|
header {
|
|
|
|
# disable FLoC tracking
|
|
|
|
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
|
|
|
|
|
|
|
|
# enable HSTS
|
|
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# disable clients from sniffing the media type
|
|
|
|
X-Content-Type-Options nosniff
|
|
|
|
|
|
|
|
# keep referrer data off of HTTP connections
|
|
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
|
|
|
|
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
defer
|
|
|
|
}
|
|
|
|
@badbots {
|
|
|
|
header "User-Agent" "Go-http-client/2.0"
|
|
|
|
}
|
|
|
|
respond @badbots "Access to this route denied" 403
|
|
|
|
}
|
|
|
|
|
|
|
|
inv.projectsegfau.lt invidious.projectsegfau.lt i.psf.lt {
|
|
|
|
reverse_proxy 192.168.1.64:7573
|
|
|
|
header {
|
|
|
|
# disable FLoC tracking
|
|
|
|
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
|
|
|
|
|
|
|
|
# enable HSTS
|
|
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
|
|
# disable clients from sniffing the media type
|
|
|
|
X-Content-Type-Options nosniff
|
|
|
|
|
|
|
|
# keep referrer data off of HTTP connections
|
|
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
|
|
-Content-Security-Policy
|
|
|
|
|
|
|
|
X-XSS-Protection "1; mode=block"
|
|
|
|
defer
|
|
|
|
}
|
|
|
|
@badbots {
|
|
|
|
header "User-Agent" "Go-http-client/2.0"
|
|
|
|
}
|
|
|
|
respond @badbots "Access to this route denied" 403
|
|
|
|
import torloc inv
|
|
|
|
import acmedns
|
|
|
|
}
|
|
|
|
|
2023-07-17 22:36:06 +05:30
|
|
|
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
|
2023-09-14 14:42:16 +05:30
|
|
|
reverse_proxy :1025
|
2023-07-20 14:24:04 +05:30
|
|
|
import def
|
2023-08-09 16:26:58 +05:30
|
|
|
import torloc gothub.dev
|
2023-07-17 22:36:06 +05:30
|
|
|
}
|
|
|
|
ak.psf.lt {
|
|
|
|
redir https://social.projectsegfau.lt{uri}
|
|
|
|
}
|
|
|
|
j.psf.lt {
|
|
|
|
redir https://jitsi.projectsegfau.lt{uri}
|
|
|
|
}
|
|
|
|
d.psf.lt {
|
|
|
|
redir https://doc.projectsegfau.lt{uri}
|
|
|
|
}
|