Enforce strict sni on caddy

2023-07-15 01:57:49 +02:00 · 2023-07-15 01:57:49 +02:00 · 7125294de7
parent 3b9ed6a4f4
commit 7125294de7
3 changed files with 9 additions and 8 deletions
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@ -1,13 +1,10 @@
 version: '3.2'

 services:
-  server:
+  app:
    image: ghcr.io/goauthentik/server:2023.3
    restart: unless-stopped
    command: server
-    volumes:
-      - ./media:/media
-      - ./custom-templates:/templates
    env_file:
      - .env
      - .secret.env
@ -25,11 +22,7 @@ services:
    command: worker
    user: root
    volumes:
-      - ./backups:/backups
-      - ./media:/media
-      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
-      - ./custom-templates:/templates
    env_file:
      - .env
      - .secret.env
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@ -1,5 +1,10 @@
 {
+	debug
 	email tobias@msrg.cc
+
+	servers {
+		strict_sni_host on
+	}
 }

 import /etc/caddy/snippets
--- a/caddy/config/conf.002.d/node002.pirate-jazz.ts.net.conf
+++ b/caddy/config/conf.002.d/node002.pirate-jazz.ts.net.conf
@ -1,6 +1,9 @@
 node002.pirate-jazz.ts.net {
 	import default

+	@denied not remote_ip private_ranges
+	abort @denied
+
 	@prometheus {
 		header X-App-Target prometheus
 	}