opnxng
/
opnxng-deploy-playbook
mirror of https://git.opnxng.com/opnxng/opnxng-deploy-playbook.git
1
0
Fork 0
Code
opnxng-deploy-playbook/templates/conf/Caddyfile.j2

685 lines
19 KiB
Django/Jinja
Executable File
Raw Permalink Blame History

# {{ ansible_managed }}
{
admin off
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
# order rate_limit before basicauth
}
# ----------------------------------------------------------------------------------------------------
# SearXNG
{$HOSTNAME} {
log {
output discard
}
@api {
path /config
path /healthz
path /stats/errors
path /stats/checker
}
@static {
path /static/*
}
@notstatic {
not path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
Referrer-Policy "no-referrer"
X-Robots-Tag "noindex, noarchive, nofollow"
-Server
}
header @api {
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
header @notstatic {
# No Cache
Cache-Control "no-cache, no-store"
Pragma "no-cache"
}
# CSP (see http://content-security-policy.com/ )
header @imageproxy {
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}
header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
handle {
encode zstd gzip
reverse_proxy {{ oracle4_private_ip }}:8080 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
}
}
}
# ----------------------------------------------------------------------------------------------------
# Other subdomains
*.{$HOSTNAME} {
log {
output discard
}
handle {
abort
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),usb=(),vr=()"
#sync-xhr=(),
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';usb 'none';vr 'none'"
#sync-xhr 'none';
Referrer-Policy "no-referrer"
X-Frame-Options SAMEORIGIN
-Server
}
@about host about.{$HOSTNAME}
handle @about {
root * /www
encode gzip
file_server
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
}
}
@www host www.{$HOSTNAME}
handle @www {
redir https://opnxng.com{uri}
}
@x host x.{$HOSTNAME}
handle @x {
redir https://opnxng.com{uri}
}
@i host i.{$HOSTNAME}
handle @i {
encode zstd gzip
reverse_proxy {{ vultr_private_ip }}:8881
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@l host l.{$HOSTNAME}
handle @l {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8882
to {{ oracle2_private_ip }}:8882
to {{ oracle3_private_ip }}:8882
to {{ oracle4_private_ip }}:8882
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
# @n {
# host n.{$HOSTNAME}
# maxmind_geolocation {
# db_path "/etc/caddy/GeoLite2-City.mmdb"
# deny_countries CN
# }
# }
# handle @n {
# @notstatic {
# not path /css/* /js/* /fonts/* /browserconfig.xml /android-chrome* /favicon* /logo* /lp.svg /robots.txt /safari* /site.webmanifest /pic/*
# }
# rate_limit @notstatic {remote.ip} 2r/s 60000 429
# rate_limit @notstatic {remote.ip} 45r/m 300000 429
# reverse_proxy {{ oracle4_private_ip }}:8883 {
# header_up X-Real-IP {remote_host}
# transport http {compression off}
# }
# header {
# header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"
# X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
# }
# }
@n host n.{$HOSTNAME}
handle @n {
redir https://about.opnxng.com/blog/#nitter
}
@b host b.{$HOSTNAME}
handle @b {
reverse_proxy {{ oracle1_private_ip }}:8884
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@git host git.{$HOSTNAME}
handle @git {
encode zstd gzip
reverse_proxy {{ oracle3_private_ip }}:8885
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@s host s.{$HOSTNAME}
handle @s {
encode zstd gzip
reverse_proxy {{ oracle1_private_ip }}:8886
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@p host p.{$HOSTNAME}
handle @p {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8887
to {{ oracle2_private_ip }}:8887
to {{ oracle3_private_ip }}:8887
to {{ oracle4_private_ip }}:8887
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@auth host auth.{$HOSTNAME}
handle @auth {
reverse_proxy {{ oracle4_private_ip }}:8888
}
@t host t.{$HOSTNAME}
handle @t {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8889
to {{ oracle2_private_ip }}:8889
to {{ oracle3_private_ip }}:8889
to {{ oracle4_private_ip }}:8889
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@m host m.{$HOSTNAME}
handle @m {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8890
to {{ oracle2_private_ip }}:8890
to {{ oracle3_private_ip }}:8890
to {{ oracle4_private_ip }}:8890
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@e host e.{$HOSTNAME}
handle @e {
encode zstd gzip
reverse_proxy {{ oracle3_private_ip }}:8891
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@it host it.{$HOSTNAME}
handle @it {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8892
to {{ oracle2_private_ip }}:8892
to {{ oracle3_private_ip }}:8892
to {{ oracle4_private_ip }}:8892
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@f {
host f.{$HOSTNAME}
maxmind_geolocation {
db_path "/etc/caddy/GeoLite2-City.mmdb"
allow_countries {{ allow_countries }}
}
}
handle @f {
forward_auth {{ oracle4_private_ip }}:8888 {
uri /api/verify?rd=https://auth.opnxng.com/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
#import trusted_proxy_list
}
encode zstd gzip
reverse_proxy {{ oracle2_private_ip }}:8893
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@nt host nt.{$HOSTNAME}
handle @nt {
encode zstd gzip
reverse_proxy {{ oracle3_private_ip }}:8894
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@v host v.{$HOSTNAME}
handle @v {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8895
to {{ oracle2_private_ip }}:8895
to {{ oracle3_private_ip }}:8895
to {{ oracle4_private_ip }}:8895
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@bn host bn.{$HOSTNAME}
handle @bn {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8896
to {{ oracle2_private_ip }}:8896
to {{ oracle3_private_ip }}:8896
to {{ oracle4_private_ip }}:8896
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@z host z.{$HOSTNAME}
handle @z {
encode zstd gzip
reverse_proxy {{ oracle3_private_ip }}:8897
header {
X-Permitted-Cross-Domain-Policies "none"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@a host a.{$HOSTNAME}
handle @a {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8898
to {{ oracle2_private_ip }}:8898
to {{ oracle3_private_ip }}:8898
to {{ oracle4_private_ip }}:8898
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
header_up X-Real-IP {remote_host}
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@r host r.{$HOSTNAME}
handle @r {
encode zstd gzip
reverse_proxy {{ vultr_private_ip }}:8899
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@g host g.{$HOSTNAME}
handle @g {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8900
to {{ oracle2_private_ip }}:8900
to {{ oracle3_private_ip }}:8900
to {{ oracle4_private_ip }}:8900
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@c host c.{$HOSTNAME}
handle @c {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8901
to {{ oracle2_private_ip }}:8901
to {{ oracle3_private_ip }}:8901
to {{ oracle4_private_ip }}:8901
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@o host o.{$HOSTNAME}
handle @o {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8902
to {{ oracle2_private_ip }}:8902
to {{ oracle3_private_ip }}:8902
to {{ oracle4_private_ip }}:8902
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ph host ph.{$HOSTNAME}
handle @ph {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8903
to {{ oracle2_private_ip }}:8903
to {{ oracle3_private_ip }}:8903
to {{ oracle4_private_ip }}:8903
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@q host q.{$HOSTNAME}
handle @q {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8904
to {{ oracle2_private_ip }}:8904
to {{ oracle3_private_ip }}:8904
to {{ oracle4_private_ip }}:8904
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@d host d.{$HOSTNAME}
handle @d {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8905
to {{ oracle2_private_ip }}:8905
to {{ oracle3_private_ip }}:8905
to {{ oracle4_private_ip }}:8905
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@wf host wf.{$HOSTNAME}
handle @wf {
encode zstd gzip
reverse_proxy {{ oracle2_private_ip }}:8906
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
# @4g host 4g.{$HOSTNAME}
# handle @4g {
# encode zstd gzip
# @notstatic {
# not path /static/* /android-chrome* /favicon* /robots.txt /banner/* /site.webmanifest
# }
# rate_limit @notstatic {remote.ip} 2r/s 60000 429
# rate_limit @notstatic {remote.ip} 45r/m 300000 429
# reverse_proxy {
# to {{ oracle1_private_ip }}:8907
# to {{ oracle2_private_ip }}:8907
# to {{ oracle3_private_ip }}:8907
# to {{ oracle4_private_ip }}:8907
# lb_policy ip_hash
# lb_try_duration 5s
# lb_try_interval 1s
# fail_duration 30s
# max_fails 3
# }
# header {
# X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
# }
# }
@tb host tb.{$HOSTNAME}
handle @tb {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8907
to {{ oracle2_private_ip }}:8907
to {{ oracle3_private_ip }}:8907
to {{ oracle4_private_ip }}:8907
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
header_up X-Real-IP {remote_host}
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ig host ig.{$HOSTNAME}
handle @ig {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8908
to {{ oracle2_private_ip }}:8908
to {{ oracle3_private_ip }}:8908
to {{ oracle4_private_ip }}:8908
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@tt host tt.{$HOSTNAME}
handle @tt {
encode zstd gzip
reverse_proxy {
to {{ oracle1_private_ip }}:8909
to {{ oracle2_private_ip }}:8909
to {{ oracle3_private_ip }}:8909
to {{ oracle4_private_ip }}:8909
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ti host ti.{$HOSTNAME}
handle @ti {
encode zstd gzip
reverse_proxy {{ vultr_private_ip }}:8910
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@yt host yt.{$HOSTNAME}
handle @yt {
encode zstd gzip
reverse_proxy {{ vultr_private_ip }}:8911
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
}
# ----------------------------------------------------------------------------------------------------
# Breezewiki redirect to handle subdomain.fandom.com
*.z.{$HOSTNAME} {
@fandom host *.z.{$HOSTNAME}
redir https://z.opnxng.com/{labels.3}{uri}
header {
X-Permitted-Cross-Domain-Policies "none"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
Referrer-Policy "no-referrer"
X-Frame-Options SAMEORIGIN
-Server
}
log {
output discard
}
handle {
abort
}
}
# ----------------------------------------------------------------------------------------------------
# Imgin redirect to handle i.imgur.com
i.r.{$HOSTNAME} {
handle {
redir https://r.opnxng.com{uri}
}
log {
output discard
}
handle {
abort
}
}
View Git Blame Copy Permalink