caddy: HTTP 9000 HTTPS 9001; ACME webroot; firewalld open 9000/9001/80
This commit is contained in:
parent
b587bb0eeb
commit
5c0101f24b
7 changed files with 249 additions and 17 deletions
|
|
@ -1,13 +1,140 @@
|
||||||
|
# Internal only (not in the browser URL):
|
||||||
|
# 9010 merchant API | 9011 exchange API | 9012 bank API
|
||||||
|
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
|
||||||
|
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt
|
||||||
|
|
||||||
{
|
{
|
||||||
email info+koopa@hacktivism.ch
|
email info+koopa@hacktivism.ch
|
||||||
http_port 8085
|
http_port 9000
|
||||||
https_port 8443
|
https_port 9001
|
||||||
auto_https disable_redirects
|
auto_https disable_redirects
|
||||||
|
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
||||||
|
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
|
||||||
|
servers {
|
||||||
|
protocols h1 h2
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
(proxy_public) {
|
||||||
|
header_up Host {host}
|
||||||
|
header_up X-Forwarded-Host {host}
|
||||||
|
header_up X-Forwarded-Proto {scheme}
|
||||||
|
header_up X-Forwarded-Port 443
|
||||||
|
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
|
||||||
|
}
|
||||||
|
|
||||||
taler.hacktivism.ch {
|
taler.hacktivism.ch {
|
||||||
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
||||||
reverse_proxy https://127.0.0.1:8081 {
|
header Alt-Svc "clear"
|
||||||
transport http { tls_insecure_skip_verify }
|
|
||||||
|
# Public landing first
|
||||||
|
redir / /intro/ 302
|
||||||
|
|
||||||
|
handle /intro* {
|
||||||
|
reverse_proxy 127.0.0.1:9015 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# SPA: /webui → /webui/
|
||||||
|
redir /webui /webui/ 302
|
||||||
|
|
||||||
|
# Merchant API + WebUI (nginx :9010 → unix socket)
|
||||||
|
reverse_proxy https://127.0.0.1:9010 {
|
||||||
|
transport http {
|
||||||
|
tls_insecure_skip_verify
|
||||||
|
}
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
exchange.hacktivism.ch {
|
||||||
|
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
|
||||||
|
# Public landing first
|
||||||
|
redir / /intro/ 302
|
||||||
|
|
||||||
|
handle /intro* {
|
||||||
|
reverse_proxy 127.0.0.1:9014 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
reverse_proxy 127.0.0.1:9011 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bank.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
|
||||||
|
# Public landing first
|
||||||
|
redir / /intro/ 302
|
||||||
|
|
||||||
|
handle /intro* {
|
||||||
|
reverse_proxy 127.0.0.1:9013 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Static terms/privacy on landing nginx :9013 (optional; needs locations there)
|
||||||
|
handle /terms* {
|
||||||
|
reverse_proxy 127.0.0.1:9013 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
handle /privacy* {
|
||||||
|
reverse_proxy 127.0.0.1:9013 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
reverse_proxy 127.0.0.1:9012 {
|
||||||
|
import proxy_public
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
castopod.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
reverse_proxy 127.0.0.1:9020 {
|
||||||
header_up Host {host}
|
header_up Host {host}
|
||||||
|
header_up X-Forwarded-For {remote_host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bonfire.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
reverse_proxy 127.0.0.1:9021 {
|
||||||
|
header_up Host {host}
|
||||||
|
header_up X-Forwarded-For {remote_host}
|
||||||
|
flush_interval -1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
prime.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
reverse_proxy 127.0.0.1:9022 {
|
||||||
|
header_up Host {host}
|
||||||
|
header_up X-Forwarded-For {remote_host}
|
||||||
|
flush_interval -1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bt.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
reverse_proxy 127.0.0.1:9023 {
|
||||||
|
header_up Host {host}
|
||||||
|
header_up X-Forwarded-For {remote_host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
|
||||||
|
handle /.well-known/acme-challenge/* {
|
||||||
|
root * /var/www/acme
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
handle {
|
||||||
|
redir https://{host}{uri} permanent
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
3
configs/firewalld/public-ports.md
Normal file
3
configs/firewalld/public-ports.md
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
# firewalld
|
||||||
|
|
||||||
|
Open 9000/9001/80. Drop 443/8082 next.
|
||||||
|
|
@ -1,3 +1,19 @@
|
||||||
# Ports
|
# Port map (see also host/overview/services.md)
|
||||||
|
|
||||||
80→8085, 443→8443; Caddy 8085/8443; merchant 8081
|
| Port | Role |
|
||||||
|
|------|------|
|
||||||
|
| 22 | sshd (WAN often via VeciGate 23235) |
|
||||||
|
| 80 | systemd `http-proxy.socket` → Caddy **9000** |
|
||||||
|
| 443 | systemd `https-proxy.socket` → Caddy **9001** |
|
||||||
|
| 9000 | Caddy HTTP + ACME webroot |
|
||||||
|
| 9001 | Caddy HTTPS (vhosts) |
|
||||||
|
| 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld |
|
||||||
|
| 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld |
|
||||||
|
| 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld |
|
||||||
|
| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` |
|
||||||
|
| 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` |
|
||||||
|
| 8080 | Tor ORPort |
|
||||||
|
|
||||||
|
VeciGate: WAN **80→9000**, WAN **443→9001**.
|
||||||
|
Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}.
|
||||||
|
Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet).
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,63 @@
|
||||||
|
# Port map (final):
|
||||||
|
# 9000 Caddy HTTP (redirect + ACME webroot)
|
||||||
|
# 9001 Caddy HTTPS
|
||||||
|
# 9010 taler-hacktivism (merchant nginx TLS)
|
||||||
|
# 9011 taler-exchange-hacktivism (exchange httpd)
|
||||||
|
# 9012 taler-bank-hacktivism (libeufin-bank)
|
||||||
|
|
||||||
{
|
{
|
||||||
email info+koopa@hacktivism.ch
|
email info+koopa@hacktivism.ch
|
||||||
http_port 8085
|
http_port 9000
|
||||||
https_port 8443
|
https_port 9001
|
||||||
auto_https disable_redirects
|
auto_https disable_redirects
|
||||||
|
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
||||||
|
# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
|
||||||
|
# on the public host — port 9001 is not the public HTTPS entry (443 is).
|
||||||
|
# That breaks sites after first visit (especially dual-stack clients).
|
||||||
|
servers {
|
||||||
|
protocols h1 h2
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
taler.hacktivism.ch {
|
taler.hacktivism.ch {
|
||||||
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
||||||
reverse_proxy https://127.0.0.1:8081 {
|
header Alt-Svc "clear"
|
||||||
transport http { tls_insecure_skip_verify }
|
reverse_proxy https://127.0.0.1:9010 {
|
||||||
|
transport http {
|
||||||
|
tls_insecure_skip_verify
|
||||||
|
}
|
||||||
header_up Host {host}
|
header_up Host {host}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
exchange.hacktivism.ch {
|
||||||
|
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
reverse_proxy 127.0.0.1:9011 {
|
||||||
|
header_up Host {host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bank.hacktivism.ch {
|
||||||
|
header Alt-Svc "clear"
|
||||||
|
handle_path /intro/* {
|
||||||
|
root * /var/www/bank-landing
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
redir /intro /intro/ 302
|
||||||
|
redir / /intro/ 302
|
||||||
|
|
||||||
|
reverse_proxy 127.0.0.1:9012 {
|
||||||
|
header_up Host {host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
|
||||||
|
handle /.well-known/acme-challenge/* {
|
||||||
|
root * /var/www/acme
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
handle {
|
||||||
|
redir https://{host}{uri} permanent
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,6 @@
|
||||||
# Caddy
|
# Caddy (host reverse proxy)
|
||||||
|
|
||||||
- 2026-07-07 taler LE (certbot)
|
- Config: `Caddyfile` (also mirrored under `configs/caddy/`)
|
||||||
- 2026-07-08 Caddy :443 with copied certs
|
- TLS certs on disk: `/etc/caddy/certs/{taler,exchange}.hacktivism.ch/`
|
||||||
|
- HTTP 9000: ACME webroot `/var/www/acme` + redirect to HTTPS
|
||||||
|
- HTTPS 9001: vhosts → backends 9010 / 9011
|
||||||
|
|
|
||||||
18
host/firewalld/README.md
Normal file
18
host/firewalld/README.md
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
# firewalld (zone `public`, interface `eno1`)
|
||||||
|
|
||||||
|
## Open ports (current)
|
||||||
|
|
||||||
|
| Port | Purpose |
|
||||||
|
|------|---------|
|
||||||
|
| 80/tcp | systemd → Caddy HTTP 9000 |
|
||||||
|
| 9000/tcp | Caddy HTTP (VeciGate WAN:80) |
|
||||||
|
| 9001/tcp | Caddy HTTPS (VeciGate WAN:443) |
|
||||||
|
| 8080/tcp | Tor OR |
|
||||||
|
| 23235/tcp | (legacy list; SSH is service `ssh` on 22) |
|
||||||
|
| services | `ssh`, `dhcpv6-client` |
|
||||||
|
|
||||||
|
## Removed
|
||||||
|
|
||||||
|
- 443/tcp, 8082/tcp — obsolete after 9000-series DNAT
|
||||||
|
|
||||||
|
Live dump: `list-all.txt`.
|
||||||
16
host/firewalld/list-all.txt
Normal file
16
host/firewalld/list-all.txt
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
public (default, active)
|
||||||
|
target: default
|
||||||
|
ingress-priority: 0
|
||||||
|
egress-priority: 0
|
||||||
|
icmp-block-inversion: no
|
||||||
|
interfaces: eno1
|
||||||
|
sources:
|
||||||
|
services: dhcpv6-client ssh
|
||||||
|
ports: 23235/tcp 8080/tcp 9000/tcp 9001/tcp 80/tcp 443/tcp
|
||||||
|
protocols:
|
||||||
|
forward: yes
|
||||||
|
masquerade: no
|
||||||
|
forward-ports:
|
||||||
|
source-ports:
|
||||||
|
icmp-blocks:
|
||||||
|
rich rules:
|
||||||
Loading…
Add table
Add a link
Reference in a new issue