64 lines
1.8 KiB
Caddyfile
64 lines
1.8 KiB
Caddyfile
# Production Caddyfile - Uses Let's Encrypt for automatic HTTPS
|
|
|
|
# Reusable forward authentication snippet
|
|
(auth) {
|
|
forward_auth authelia:9091 {
|
|
uri /api/authz/forward-auth
|
|
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
header_up X-Forwarded-Uri {uri}
|
|
header_up X-Forwarded-For {remote_host}
|
|
}
|
|
}
|
|
|
|
# Authelia - NO forward auth (must be accessible for login)
|
|
${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN} {
|
|
reverse_proxy authelia:9091 {
|
|
# Pass through all headers properly
|
|
header_up Host {upstream_hostport}
|
|
header_up X-Real-IP {remote_host}
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
|
|
# Increase timeouts for slow connections
|
|
transport http {
|
|
read_timeout 60s
|
|
write_timeout 60s
|
|
}
|
|
}
|
|
}
|
|
|
|
# Gitea - Uses OIDC for authentication (no forward_auth)
|
|
${GITEA_SUBDOMAIN}.${BASE_DOMAIN} {
|
|
reverse_proxy gitea:3000
|
|
}
|
|
|
|
# JSPWiki - Protected by Authelia
|
|
${WIKI_SUBDOMAIN}.${BASE_DOMAIN} {
|
|
import auth
|
|
reverse_proxy jspwiki:8080
|
|
}
|
|
|
|
# lldap - Protected by Authelia (requires Authelia auth + lldap admin password)
|
|
${LLDAP_SUBDOMAIN}.${BASE_DOMAIN} {
|
|
import auth
|
|
reverse_proxy lldap:17170
|
|
}
|
|
|
|
# Registration - Public form, protected admin dashboard
|
|
${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN} {
|
|
# Admin dashboard requires authentication and admin group membership
|
|
@admin path /admin /admin/*
|
|
handle @admin {
|
|
import auth
|
|
reverse_proxy registration:5000
|
|
}
|
|
|
|
# Public registration form (no auth required - skip forward_auth)
|
|
handle {
|
|
reverse_proxy registration:5000
|
|
}
|
|
}
|