Created
February 28, 2025 00:00
-
-
Save mil1i/e7b2519a8746ff0c94c53cd10f281bf9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # Global options block. Entirely optional, https is on by default | |
| # Optional email key for lets encrypt | |
| email [email protected] | |
| # Optional staging lets encrypt for testing. Comment out for production. | |
| acme_ca https://acme-v02.api.letsencrypt.org/directory | |
| # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
| # test_dir https://acme-staging-v02.api.letsencrypt.org/directory | |
| key_type p384 | |
| acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} | |
| admin off | |
| } | |
| (trusted_proxies) { | |
| ## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy. | |
| trusted_proxies 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 | |
| } | |
| (forward_auth) { | |
| forward_auth authelia:9091 { | |
| ## This import needs to be included if you're relying on a trusted proxies configuration. | |
| import trusted_proxies | |
| uri /api/authz/forward-auth | |
| ## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest | |
| ## this is configured in the Session Cookies section of the Authelia configuration. | |
| uri /api/authz/forward-auth?authelia_url=https://auth.domain.net/ | |
| copy_headers Remote-User Remote-Groups Remote-Email Remote-Name | |
| } | |
| } | |
| (tls) { | |
| tls { | |
| protocols tls1.2 tls1.3 | |
| } | |
| } | |
| (encoding) { | |
| encode zstd gzip | |
| } | |
| (websockets) { | |
| header / { | |
| Connection *Upgrade* | |
| Upgrade websocket | |
| } | |
| } | |
| # encode zstd gzip | |
| (docker) { | |
| tls { | |
| protocols tls1.2 tls1.3 | |
| } | |
| header / { | |
| # Enable HTTP Strict Transport Security (HSTS) | |
| Strict-Transport-Security “max-age=31536000; includeSubDomains; preload;” | |
| X-XSS-Protection “1; mode=block” | |
| # Disallow sniffing of X-Content-Type-Options | |
| X-Content-Type-Options “nosniff” | |
| # Disallow the site to be rendered within a frame (clickjacking protection) | |
| X-Frame-Options “DENY” | |
| # Prevent search engines from indexing (optional) | |
| X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" | |
| Referrer-Policy “strict-origin-when-cross-origin” | |
| # If you use Cloudflare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip | |
| # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/ | |
| # and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4 | |
| header_upstream X-Real-IP {remote_host} | |
| header_upstream X-Forward-For {remote} | |
| header_upstream X-Forward-Proto {scheme} | |
| # Server name removing | |
| -Server | |
| # Remove X-Powered-By though this shouldn't be an issue, better opsec to remove | |
| -X-Powered-By | |
| # Remove Last-Modified because etag is the same and is as effective | |
| -Last-Modified | |
| } | |
| } | |
| plex.domain.net { | |
| @internal { | |
| remote_ip private_ranges | |
| } | |
| import docker | |
| rewrite / /web | |
| handle @internal { | |
| reverse_proxy https://{env.PLEX_CONTAINER_IP}.{env.PLEXTOKEN}.plex.direct:32400 { | |
| import trusted_proxies | |
| header_up {remote_host} | |
| } | |
| } | |
| handle { | |
| # import forward_auth | |
| reverse_proxy https://{env.PLEX_CONTAINER_IP}.{env.PLEXTOKEN}.plex.direct:32400 { | |
| import trusted_proxies | |
| header_up {http.request.header.Cf-Connecting-Ip} | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment