Caddy를 이용한 reverse proxy 설정을 기록한다. 인증서는 따로 /etc/letsencrypt에 갱신하기 때문에 그 인증서를 그대로 사용하게 설정했다.
bitwarden
https://mydomain.net:1234 -> bitwarden
docker-compose.yml
version: "3"
services:
bitwarden:
container_name: bitwarden
image: bitwardenrs/server:raspberry
environment:
- WEBSOCKET_ENABLED=true
- ./bitwarden_data:/data
restart: unless-stopped
caddy-bitwarden:
container_name: caddy-bitwarden
image: caddy
ports:
- '1234:1234/tcp'
environment:
- ACME_AGREE=false
- DOMAIN=mydomain.net
- CADDY_PORT=1234
- REDIRECT_URL=bitwarden:80
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
Caddyfile
{$DOMAIN}:{$CADDY_PORT} {
tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem
header / {
Strict-Transport-Security "max-age=15768000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Robots-Tag "none"
}
# The negotiation endpoint is also proxied to Rocket
reverse_proxy /notifications/hub/negotiate bitwarden:80
# Notifications redirected to the websockets server
reverse_proxy /notifications/hub bitwarden:3012
# Proxy the Root directory to Rocket
reverse_proxy /* {$REDIRECT_URL}
}
nextcloud
https://mydomain.net:1234 -> php-fpm(nextcloud)
docker-compose.yml
version: '3.1'
services:
nextcloud:
image: nextcloud:fpm-alpine
container_name: nextcloud
environment:
- TZ=Asia/Seoul
- PUID=1001
- PGID=1001
- MYSQL_DATABASE=db이름
- MYSQL_USER=mysql사용자이름
- MYSQL_PASSWORD=mysql비밀번호
- MYSQL_HOST=mysql서버주소
- NEXTCLOUD_TRUSTED_DOMAINS=mydomain.net:1234
- NEXTCLOUD_ADMIN_USER=nextcloud관리자이름
- NEXTCLOUD_ADMIN_PASSWORD=nextcloud관리자비밀번호
volumes:
- ./nextcloud_html:/var/www/html
restart: unless-stopped
caddy-nextcloud:
container_name: caddy-nextcloud
image: caddy
ports:
- '1234:1234/tcp'
environment:
- ACME_AGREE=false
- DOMAIN=mydomain.net
- CADDY_PORT=1234
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./nextcloud_html:/var/www/html:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
Caddyfile
{$DOMAIN}:{$CADDY_PORT} {
tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem
header / {
Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
Referrer-Policy "no-referrer"
X-Content-Type-Options "nosniff"
X-Download-Options "noopen"
X-Frame-Options "SAMEORIGIN"
X-Permitted-Cross-Domain-Policies "none"
X-Robots-Tag "none"
X-XSS-Protection "1; mode=block"
}
root * /var/www/html
file_server
php_fastcgi nextcloud:9000
header /core/fonts {
Cache-Control "max-age=604800"
}
@phpFiles {
path_regexp phpfile ^/(remote|public|cron|core/ajax/update|status|ocs/v1|ocs/v2)\.php
}
rewrite @phpFiles {http.regexp.phpfile.0}
# Service discovery via well-known
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}
path 제거
{$DOMAIN}:{$CADDY_PORT}/foo/ -> 172.16.10.5:449/
Caddyfile
{$DOMAIN}:{$CADDY_PORT} {
tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem
header / {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=15768000;"
X-Frame-Options "DENY"
X-Robots-Tag "none"
}
route /foo/* {
uri strip_prefix /foo
reverse_proxy 172.16.10.5:449
}
}
path 변경
{$DOMAIN}:{$CADDY_PORT}/foo/ -> 172.16.10.5:449/bar/
Caddyfile
{$DOMAIN}:{$CADDY_PORT} {
tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem
header / {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=15768000;"
X-Frame-Options "DENY"
X-Robots-Tag "none"
}
route /foo/* {
uri replace /foo/ /bar/
reverse_proxy 172.16.10.5:449
}
}
