Only allow global access to production in Caddy

2023-12-31 18:34:36 +01:00 · 2023-12-31 18:34:36 +01:00 · c8a15443c3
parent f190d0bc61
commit c8a15443c3
1 changed files with 24 additions and 4 deletions
--- a/roles/proxy/templates/caddy/Caddyfile.j2
+++ b/roles/proxy/templates/caddy/Caddyfile.j2
@ -37,7 +37,19 @@ ipfs-gateway.{{ proxy_vars[env].app01.apps_base_domain }},
        -Server
    }

+{% if env == 'production' %}
    reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+{% else %}
+    @local {
+        remote_ip {{ proxy_trusted_subnets | join(' ') }}
+    }
+
+    handle @local {
+        reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+    }
+
+    respond 403
+{% endif %}
 }

 xmr.local.{{ proxy_vars[env].app01.apps_base_domain }} {
@ -62,20 +74,28 @@ xmr.local.{{ proxy_vars[env].app01.apps_base_domain }} {
 }

 cloud.{{ proxy_vars[env].app01.apps_base_domain }} {
-{% if env == 'production' %}
-    tls {{ tls_email }}
-{% else %}
    tls {{ tls_email }} {
        dns njalla {{ njalla_api_token }}
    }
-{% endif %}

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        -Server
    }

+{% if env == 'production' %}
    reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+{% else %}
+    @local {
+        remote_ip {{ proxy_trusted_subnets | join(' ') }}
+    }
+
+    handle @local {
+        reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+    }
+
+    respond 403
+{% endif %}
 }

 # END Environment: {{ env }}