1.1.0 Release caddy-app

ansible/playbooks/app/site.yaml

@@ -153,6 +153,14 @@
           tags: ["site", "kopia"]
       tags: ["site", "kopia"]
 
+    - name: Set caddy
+      ansible.builtin.include_role:
+        name: "common"
+        tasks_from: "services/set_caddy"
+        apply:
+          tags: ["site", "caddy"]
+      tags: ["site", "caddy"]
+
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

config/node/app/nftables.conf.j2

@@ -5,17 +5,27 @@ define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
 define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
 define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
 define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define HOSTS4_AUTH = {{ hostvars['fw']['network4']['auth']['server'] }}
+define HOSTS6_AUTH = {{ hostvars['fw']['network6']['auth']['server'] }}
 define PORTS_SSH = 22
+define PORTS_HTTP = 80
+define PORTS_HTTP_FORWARD = 2080
+define PORTS_HTTPS = 443
+define PORTS_HTTPS_FORWARD = 2443
 
 table inet nat {
     chain prerouting {
         type nat hook prerouting priority dstnat; policy accept;
+        tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD"
+        tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD"
     }
     chain postrouting {
 
     }
     chain output {
         type nat hook output priority dstnat; policy accept;
+        oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD out of LOCALHOST"
+        oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST"
     }
 }
 
@@ -28,6 +38,10 @@ table inet filter {
         meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection"
         ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > APP"
         ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH  accept comment "allow ipv6 ssh connection: CONSOLE > APP"
+        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4 http connection: CONSOLE, AUTH > APP"
+        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv6 http connection: CONSOLE, AUTH > APP"
+        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4 https connection: CONSOLE, AUTH > APP"
+        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv6 https connection: CONSOLE, AUTH > APP"
     }
     chain forward {
         type filter hook forward priority 0; policy drop;

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -0,0 +1,30 @@
+{
+        servers {
+                # Only accept packets from auth main caddy
+                trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
+        }
+}
+# Private TLS ACME with DNS-01-challenge
+(private_tls) {
+        tls {
+                issuer acme {
+                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dns rfc2136 {
+                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                key_name acme-key
+                                key_alg hmac-sha256
+                                key "{file./run/secrets/CADDY_ACME_KEY}"
+                        }
+                }
+        }
+}
+
+app.ilnmors.internal {
+        import private_tls
+        metrics
+}
+test.app.ilnmors.internal {
+         import private_tls
+         root * /usr/share/caddy
+         file_server
+}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -54,6 +54,15 @@ test.ilnmors.com {
                 file_server
         }
 }
+test.app.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://test.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
 
 # Internal domain
 auth.ilnmors.internal {

config/services/containers/infra/ca/config/ca.json.j2

@@ -22,7 +22,8 @@
 				"allow": {
 					"dns": [
 						"ilnmors.internal",
-						"*.ilnmors.internal"
+						"*.ilnmors.internal",
+						"*.app.ilnmors.internal"
 					]
 				},
 				"allowWildcardNames": true

docs/services/common/caddy.md

@@ -28,17 +28,23 @@ test.ilnmors.com
     import crowdsec_log
     route {
         crowdsec
-        reverse_proxy https://test.app.ilnmors.internal
+        reverse_proxy https://test.app.ilnmors.internal {
+            header_up Host {http.reverse_proxy.upstream.host}
+        }
     }
 }
 # App server
+{
+    servers {
+        trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
+    }
+}
 test.app.ilnmors.internal
 {
      import internal_tls
-     trusted_proxies {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
      route {
         reverse_proxy host.containers.internal:3000 {
-            header_up Host {header.X-Forwarded-Host} {Host}
+            header_up Host {http.request.header.X-Forwarded-Host}
         }
      }
 }