diff --git a/configs/caddy/Caddyfile b/configs/caddy/Caddyfile index 08f6077..15d141b 100644 --- a/configs/caddy/Caddyfile +++ b/configs/caddy/Caddyfile @@ -1,13 +1,140 @@ +# Internal only (not in the browser URL): +# 9010 merchant API | 9011 exchange API | 9012 bank API +# 9013 bank landing | 9014 exchange landing | 9015 merchant landing +# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt + { email info+koopa@hacktivism.ch - http_port 8085 - https_port 8443 + http_port 9000 + https_port 9001 auto_https disable_redirects -} -taler.hacktivism.ch { - tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem - reverse_proxy https://127.0.0.1:8081 { - transport http { tls_insecure_skip_verify } - header_up Host {host} + # Caddy listens on 9001 behind VeciGate/https-proxy :443. + # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. + servers { + protocols h1 h2 + } +} + +(proxy_public) { + header_up Host {host} + header_up X-Forwarded-Host {host} + header_up X-Forwarded-Proto {scheme} + header_up X-Forwarded-Port 443 + header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" +} + +taler.hacktivism.ch { + tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem + header Alt-Svc "clear" + + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9015 { + import proxy_public + } + } + + # SPA: /webui → /webui/ + redir /webui /webui/ 302 + + # Merchant API + WebUI (nginx :9010 → unix socket) + reverse_proxy https://127.0.0.1:9010 { + transport http { + tls_insecure_skip_verify + } + import proxy_public + } +} + +exchange.hacktivism.ch { + tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem + header Alt-Svc "clear" + + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9014 { + import proxy_public + } + } + + reverse_proxy 127.0.0.1:9011 { + import proxy_public + } +} + +bank.hacktivism.ch { + header Alt-Svc "clear" + + # Public landing first + redir / /intro/ 302 + + handle /intro* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + + # Static terms/privacy on landing nginx :9013 (optional; needs locations there) + handle /terms* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + handle /privacy* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + + reverse_proxy 127.0.0.1:9012 { + import proxy_public + } +} + +castopod.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9020 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } +} + +bonfire.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9021 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } +} + +prime.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9022 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } +} + +bt.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9023 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } +} + +http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch { + handle /.well-known/acme-challenge/* { + root * /var/www/acme + file_server + } + handle { + redir https://{host}{uri} permanent } } diff --git a/configs/firewalld/public-ports.md b/configs/firewalld/public-ports.md new file mode 100644 index 0000000..bb31c9c --- /dev/null +++ b/configs/firewalld/public-ports.md @@ -0,0 +1,3 @@ +# firewalld + +Open 9000/9001/80. Drop 443/8082 next. diff --git a/configs/ports.md b/configs/ports.md index c8e350f..8b48de2 100644 --- a/configs/ports.md +++ b/configs/ports.md @@ -1,3 +1,19 @@ -# Ports +# Port map (see also host/overview/services.md) -80→8085, 443→8443; Caddy 8085/8443; merchant 8081 +| Port | Role | +|------|------| +| 22 | sshd (WAN often via VeciGate 23235) | +| 80 | systemd `http-proxy.socket` → Caddy **9000** | +| 443 | systemd `https-proxy.socket` → Caddy **9001** | +| 9000 | Caddy HTTP + ACME webroot | +| 9001 | Caddy HTTPS (vhosts) | +| 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld | +| 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld | +| 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld | +| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` | +| 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` | +| 8080 | Tor ORPort | + +VeciGate: WAN **80→9000**, WAN **443→9001**. +Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}. +Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet). diff --git a/host/caddy/Caddyfile b/host/caddy/Caddyfile index 08f6077..16b62aa 100644 --- a/host/caddy/Caddyfile +++ b/host/caddy/Caddyfile @@ -1,13 +1,63 @@ +# Port map (final): +# 9000 Caddy HTTP (redirect + ACME webroot) +# 9001 Caddy HTTPS +# 9010 taler-hacktivism (merchant nginx TLS) +# 9011 taler-exchange-hacktivism (exchange httpd) +# 9012 taler-bank-hacktivism (libeufin-bank) + { email info+koopa@hacktivism.ch - http_port 8085 - https_port 8443 + http_port 9000 + https_port 9001 auto_https disable_redirects + # Caddy listens on 9001 behind VeciGate/https-proxy :443. + # Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try + # on the public host — port 9001 is not the public HTTPS entry (443 is). + # That breaks sites after first visit (especially dual-stack clients). + servers { + protocols h1 h2 + } } + taler.hacktivism.ch { tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem - reverse_proxy https://127.0.0.1:8081 { - transport http { tls_insecure_skip_verify } + header Alt-Svc "clear" + reverse_proxy https://127.0.0.1:9010 { + transport http { + tls_insecure_skip_verify + } header_up Host {host} } } + +exchange.hacktivism.ch { + tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9011 { + header_up Host {host} + } +} + +bank.hacktivism.ch { + header Alt-Svc "clear" + handle_path /intro/* { + root * /var/www/bank-landing + file_server + } + redir /intro /intro/ 302 + redir / /intro/ 302 + + reverse_proxy 127.0.0.1:9012 { + header_up Host {host} + } +} + +http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch { + handle /.well-known/acme-challenge/* { + root * /var/www/acme + file_server + } + handle { + redir https://{host}{uri} permanent + } +} diff --git a/host/caddy/README.md b/host/caddy/README.md index 4b5053f..0d3f627 100644 --- a/host/caddy/README.md +++ b/host/caddy/README.md @@ -1,4 +1,6 @@ -# Caddy +# Caddy (host reverse proxy) -- 2026-07-07 taler LE (certbot) -- 2026-07-08 Caddy :443 with copied certs +- Config: `Caddyfile` (also mirrored under `configs/caddy/`) +- TLS certs on disk: `/etc/caddy/certs/{taler,exchange}.hacktivism.ch/` +- HTTP 9000: ACME webroot `/var/www/acme` + redirect to HTTPS +- HTTPS 9001: vhosts → backends 9010 / 9011 diff --git a/host/firewalld/README.md b/host/firewalld/README.md new file mode 100644 index 0000000..26c4db3 --- /dev/null +++ b/host/firewalld/README.md @@ -0,0 +1,18 @@ +# firewalld (zone `public`, interface `eno1`) + +## Open ports (current) + +| Port | Purpose | +|------|---------| +| 80/tcp | systemd → Caddy HTTP 9000 | +| 9000/tcp | Caddy HTTP (VeciGate WAN:80) | +| 9001/tcp | Caddy HTTPS (VeciGate WAN:443) | +| 8080/tcp | Tor OR | +| 23235/tcp | (legacy list; SSH is service `ssh` on 22) | +| services | `ssh`, `dhcpv6-client` | + +## Removed + +- 443/tcp, 8082/tcp — obsolete after 9000-series DNAT + +Live dump: `list-all.txt`. diff --git a/host/firewalld/list-all.txt b/host/firewalld/list-all.txt new file mode 100644 index 0000000..66c0567 --- /dev/null +++ b/host/firewalld/list-all.txt @@ -0,0 +1,16 @@ +public (default, active) + target: default + ingress-priority: 0 + egress-priority: 0 + icmp-block-inversion: no + interfaces: eno1 + sources: + services: dhcpv6-client ssh + ports: 23235/tcp 8080/tcp 9000/tcp 9001/tcp 80/tcp 443/tcp + protocols: + forward: yes + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: