root/duke-gateway
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

2

Browse source
This commit is contained in:
Zeev Diukman 2025-11-28 23:08:22 +02:00
parent 273f46d0fb
commit e23602920f
7 changed files with 136 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
caddy/config/gateway.code-workspace

27
caddy/config/Caddyfile
View file

@ -1,5 +1,5 @@
import snippets.caddy
diukman.com {
* {
respond "Error" 500
}
https://photos.diukman.com {
@ -10,7 +10,6 @@ https://auth.diukman.com {
}
https://adguard.diukman.com {
import protect rp http://192.168.2.8
# respond "aaaaa"
}
https://opnsense.diukman.com {
import protect rp http://192.168.2.1
@ -27,3 +26,27 @@ https://wireguard.diukman.com {
https://modem.diukman.com {
import protect rp http://192.168.1.1
}
https://diukman.com {
# import protected https://192.168.2.10:8006 "skip_verify"
# import protected http://192.168.2.8 "skip_verify"
# import protected "skip_tls" https://192.168.2.10:8006
# handle /oauth2/* {
# reverse_proxy oauth2proxy:4180 {
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-Uri {uri}
# }
# }
# handle {
# forward_auth oauth2proxy:4180 {
# uri /oauth2/auth
# copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
# header_up X-Real-IP {remote_host}
# @error status 401 403
# handle_response @error {
# redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
# }
# }
# reverse_proxy http://192.168.2.8
# }
}

53
caddy/config/snippets.caddy
View file

@ -8,7 +8,7 @@
(rp) {
reverse_proxy {args[0]}
}
(auth_path) {
(auth_path_handler) {
handle /oauth2/* {
reverse_proxy oauth2proxy:4180 {
header_up X-Real-IP {remote_host}
@ -16,21 +16,58 @@
}
}
}
(auth_redirect) {
import auth_path
forward_auth oauth2proxy:4180 {
uri /oauth2/auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
header_up X-Real-IP {remote_host}
@error status 401 403
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
}
}
}
(protect) {
import auth_path_handler
handle {
import auth_redirect
import {args[0]} {args[1]}
}
}
(protected) {
@skip_tls {
expression `"{args[1]}" == "skip_verify"`
}
@no_skip_tls {
expression `"{args[1]}" != "skip_verify"`
}
handle /oauth2/* {
reverse_proxy oauth2proxy:4180 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Uri {uri}
}
}
handle {
forward_auth oauth2proxy:4180 {
uri /oauth2/auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
header_up X-Real-IP {remote_host}
@error status 401
@error status 401 403
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
}
}
reverse_proxy @skip_tls {args[0]} {
transport http {
tls_insecure_skip_verify
}
}
reverse_proxy @no_skip_tls {args[0]}
}
import {args[0]} {args[1]}
}
(protect) {
import auth_path
import auth_redirect {args[0]} {args[1]}
}

1
oauth2-proxy/allowed_emails.txt
View file

@ -1,2 +1 @@
zeevdukeman@gmail.com
zeevdukemandev@gmail.com

29
oauth2-proxy/oauth2-proxy.cfg
View file

@ -1,17 +1,38 @@
# --- 1. Provider Configuration ---
## GitHub OAuth2 Configuration
# provider = "github"
# client_id = "Ov23liA8Pj1NqKm5HgqR"
# client_secret = "3b5015ef53b81d94ff9414a55be1252508d70795"
# scope = "user:email"
# email_domains = ["*"] # Allow any email domain (since restriction is handled by github_org)
# github_org = "diukman" # Restrict access to members of this GitHub Organization
## Google OAuth2 Configuration
provider = "google"
client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com"
client_secret = "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"
cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg="
scope = "openid profile email"
# --- 2. OAuth2 Proxy Configuration ---
upstreams = "static://200"
http_address = "0.0.0.0:4180"
redirect_url = "https://auth.diukman.com/oauth2/callback"
scope = "openid profile email"
set_xauthrequest = true
# whitelist_domains = [ ".diukman.com", "diukman.com" ]
# --- 3. Cookie Configuration ---
cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg="
cookie_domains = [ ".diukman.com", "diukman.com" ]
cookie_httponly = true
cookie_secure = true
cookie_samesite = "none"
cookie_expire = "168h" # Cookie expiry time (7 days)
# --- 5. Email Whitelisting ---
authenticated_emails_file = "/etc/allowed_emails.txt"
# email_domains = [ "*" ]
# --- 6. Domain redirection Whitelisting ---
whitelist_domains = ["*.diukman.com", "diukman.com"]
pass_host_header = true # Pass the Host header from the client to the upstream server

27
oauth2-proxy/oauth2-proxy.cfg-google Normal file
View file

@ -0,0 +1,27 @@
# --- 1. Provider Configuration ---
provider = "google"
client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com"
client_secret = "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"
scope = "openid profile email"
# provider = "github"
# client_id = "Ov23liA8Pj1NqKm5HgqR"
# client_secret = "3b5015ef53b81d94ff9414a55be1252508d70795"
# scope = "user:email"
# --- 2. OAuth2 Proxy Configuration ---
upstreams = "static://200"
http_address = "0.0.0.0:4180"
redirect_url = "https://auth.diukman.com/oauth2/callback"
set_xauthrequest = true
# --- 3. Cookie Configuration ---
cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg="
cookie_domains = [ ".diukman.com", "diukman.com" ]
cookie_httponly = true
cookie_secure = true
cookie_samesite = "none"
# --- 5. Email Whitelisting ---
authenticated_emails_file = "/etc/allowed_emails.txt"
# --- 6. Domain redirection Whitelisting ---
whitelist_domains = [ "*.diukman.com", "diukman.com" ]

13
z.sh
View file

@ -38,6 +38,17 @@ case "${Z_CMD[0]}" in
;;
esac
;;
oauth2-proxy | p)
case "${Z_CMD[1]}" in
restart | r)
echo "Restarting oauth2-proxy container..."
docker compose restart oauth2proxy
;;
*)
Z_FLAG=true
;;
esac
;;
*)
Z_FLAG=true
;;
@ -45,7 +56,7 @@ esac
case $Z_FLAG in
true)
echo "Usage: $0 caddy [reload|restart|watch]"
echo "Usage: $0 caddy|c <reload|r|restart> | docker|d <up|u|down|d|restart|r> | oauth2-proxy|p <restart|r>"
exit 1
;;
esac