# https://coredns.io/community/.
I can see the following configuration on the official website, but this does not provide HTTPS service, it is a forwarding.
I can't find how to configure the doh.
And for DNS over HTTP/2 (DoH) use:
https://example.org {
whoami
}
https://.:443 tls://.:853 {
tls plugin/tls/test_cert.pem plugin/tls/test_key.pem plugin/tls/test_ca.pem
cache
forward . 8.8.8.8:53 {
prefer_udp
}
}
Related
I'd like to set up two secure reverse proxies on the same server with a single Caddyfile. The web server listens on port 8081, and the following successfully accepts outside connections on normal port 443 and directs them internally to 8081.
# this works, accepting requests at https://api.mysite.com
api.mysite.com {
tls webmaster#mysite.com # lets encrypt
reverse_proxy localhost:8081
log
}
Now I want to also be able to connect to a database server that listens on port 7777, but I'd like to keep that port shut to the outside and accept incoming connections at port 9999 (over SSL/TLS). So far my attempts at building a Caddyfile have not just been unsuccessful, they also prevent the initial secure web connection from working.
(Caddy 2.4.3)
api.mysite.com {
tls webmaster#mysite.com # lets encrypt
reverse_proxy localhost:8081
log
}
api.mysite.com:9999 {
reverse_proxy localhost:7777
log
}
Nope
api.mysite.com {
tls webmaster#mysite.com # lets encrypt
reverse_proxy localhost:8081
log
}
localhost:9999 {
reverse_proxy localhost:7777
log
}
Nope
api.mysite.com {
tls webmaster#mysite.com # lets encrypt
reverse_proxy localhost:8081
localhost:9999 {
reverse_proxy localhost:7777
}
log
}
Still nope
I'm having a very difficult time getting much useful information from the Caddyfile docs. Any ideas? Thanks in advance.
I am trying to implement IP whitelist on my Caddy v2 configuration. Something equivalent to NGINX configuration like:
allow 1.1.1.1;
allow 8.8.8.8;
deny all;
My current Caddy configuration pretty straight forward:
my.website.com {
reverse_proxy http://127.0.0.1:3000 {
}
}
Thanks
You can try something like this in caddy v2:
my.domain.com {
#teammember {
remote_ip forwarded 183.77.5.126 113.73.5.126
}
handle #teammember {
reverse_proxy /* localhost:8081
}
respond "<h1>You are attempting to access protected resources!</h1>" 403
}
I'm not saying qed's answer is wrong, however I couldn't get it to work in my case (possibly due to using import templates inside a handle?)...
My solution was... Old config:
private.example.com {
import my_template argument_1 /path/to/example/argument2
}
This changed to:
private.example.com {
#blocked not remote_ip 1.2.3.4
respond #blocked "<h1>Access Denied</h1>" 403
import my_template argument_1 /path/to/example/argument2
}
Simply adding those two lines allows my site to be accessed on that IP. A test curl from a different IP returned the 403 error.
This is done on Caddy 2.4.6
I am not sure it is possible directly in Caddy, but you can add a middleware/plugin to do this.
Here is the link you can get it : https://github.com/pyed/ipfilter
According to the doc of this middleware, to you want to allow only the 2 IPs you wrote, you should probably do something like this :
my.website.com {
reverse_proxy http://127.0.0.1:3000
ipfilter / {
rule allow
ip 1.1.1.1 8.8.8.8
blockpage notauthorized.html
}
}
I also think if want to block every requests, not just the /, you have to write ipfilter /* instead of ipfilter /.
I have a service on foo.bar.com and I need to move it to foo.example.com. To give stragglers a chance to catch up I was hoping to put Caddy on on the server dealing with foo.bar.com and have it proxy for foo.example.com. Can't get even a basic example working like:
Caddyfile
:2015
reverse_proxy https://example.com
This is correct example, You did not provided any debugging and any information about the error you are getting.
Caddy by default expects https if web configuration is either not IP or you explicitly tell this is http endpoint.
So it should work for you with curl https://localhost:2016/
Enable debugging and show us any error.
To increase verbosity put this on your Caddyfile
:2015 {
log {
level DEBUG
output stdout
}
reverse_proxy https://example.com
We have a Prometheus Pushgateway running and listening to metrics push from our AWS Lambda function. However, the URL to the Pushgateway is accessible by the public, which might impose some security issues. We were wondering if there is any way we could add a layer of protection to the Pushgateway so that it is not publicly accessible?
I found this Github thread that may answered this question:
https://github.com/prometheus/pushgateway/issues/281
It proposed to set up a reverse proxy in front of the pushgateway. However, I am still confused on how that may actually work? We are currently using Kubernetes to deploy the Prometheus.
You can include authentication in your ingress controller by using a TLS secret as an ingress rule.
Here's an example that shows how to generate basic auth for your ingress:
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
Also, don't forget to include the Python handler function in your client to set the auth header as pointed out here:
https://github.com/prometheus/client_python#handlers-for-authentication
A suggestion here will be to make the URL of the Pushgateway Internal by using an AWS Internal Load Balancer, create an AWS Private Hosted Zone attach your VPC to this zone after this the next step will be to deploy the lambda in the same VPC.
This should solve the security issue.
You are right, you need reverse proxy here. I also faced with the same issue, so you need nginx in front of your prometheus/pushgateway.
First, install nginx using this article (you can start from Step 8 — Securing Prometheus if you already configured prometheus):
My nginx config :
events { }
http {
upstream prometheus {
server 127.0.0.1:9090;
keepalive 64;
}
upstream pushgateway {
server 127.0.0.1:9091;
keepalive 64;
}
server {
root /var/www/example;
listen 0.0.0.0:80;
server_name __;
location / {
auth_basic "Prometheus server authentication2";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://prometheus;
}
}
server {
root /var/www/example;
listen 0.0.0.0:3001;
server_name __;
location / {
auth_basic "Pushgateway server authentication";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://pushgateway;
}
}
}
my pushgateway.service file :
[Unit]
Description=Pushgateway
Wants=network-online.target
After=network-online.target
[Service]
User=pushgateway
Group=pushgateway
Type=simple
ExecStart=/usr/local/bin/pushgateway --web.listen-address="127.0.0.1:9091" --web.telemetry-path="/metrics" --persistence.file="/tmp/metric.store" --persistence.interval=5m --log.level="info" --log.format="logger:stdout?json=true"
[Install]
WantedBy=multi-user.target
It is important to set : --web.listen-address="127.0.0.1:9091", not ":9091" - so it will be exposed only to localhost.
Through the nginx pushgateway will be accessible on port 3001, port 9091 will be not public. Base authentication will be required to have access or push metrics.
About how to test it using Postman you can find here
I'm having trouble setting a custom http and https port on caddy in my Caddyfile and could not find an answer using google and stackoverflow
I can set a custom http port like this :
http://example.com:2015
but I can't set a custom https port
http://example.com:2015
https://example.com:2016
as caddy only reads the first line as valid.
Starting the file with https://example.com:2016 will try to bind http to port 80 which is already taken
I simply want to bind http to port 2015 and https to port 2016
Here is my current Caddyfile:
http://example.com:2015
https://example.com:2016
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
thank you for your time :)
If you are using multiple hosts
http://example.com:2015 {
tls off
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
}
https://example.com:2016 {
tls self_signed
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
}
If you wish for Caddys Automagic HTTPS you will need to use 443 but if you want to supply your own cert or self_sign (or us DNS challenge) then you should be ok.
Also well worth checking out https://caddy.community/