Help me rewrite a snippet within the relevant site block

James_Grande · October 10, 2024, 8:56am

1. The problem I’m having:

I’m using Caddy to reverse proxy Vaultwarden and I’d like to make the /admin/ panel accessible only from local IPs. The Vaultwarden Wiki says to use this snippet and then import it. I’ve done so and it works as expected, but I was wondering if someone could help me rewrite the vaultwarden_admin_redir in an OCD-satisfying way, so that the snippet, which pertains to Vaultwarden only, sits within its own block, instead of with the global directives.

Thank you!

(vaultwarden_admin_redir) {
	@admin {
		path /admin*
		not remote_ip private_ranges
	}
	redir @admin /
}

*.mydomain.com {
    ## Vaultwarden
	@vaultwarden host vault.mydomain.com 
	handle @vaultwarden {
		import vaultwarden_admin_redir
		header {
			# Enable HTTP Strict Transport Security (HSTS)
			Strict-Transport-Security "max-age=31536000;"
			# Disable cross-site filter (XSS)
			X-XSS-Protection "0"
			#	# Disallow the site to be rendered within a frame (clickjacking protection)
			X-Frame-Options "SAMEORIGIN"
			# Prevent search engines from indexing (optional)
			X-Robots-Tag "noindex, nofollow"
			# Disallow sniffing of X-Content-Type-Options
			X-Content-Type-Options "nosniff"
			# Server name removing
			-Server
			# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
			-X-Powered-By
			# Remove Last-Modified because etag is the same and is as effective
			-Last-Modified
		}
		route {
			crowdsec
			reverse_proxy http://vaultwarden {
				header_up X-Real-IP {remote_host}
			}
		}
	}
}

2. Error messages and/or full log output:

No error messages.

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

a. System environment:

Docker-compose, built from sources with Porkbun DNS

b. Command:

FROM caddy:builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/porkbun \
    --with github.com/hslatman/caddy-crowdsec-bouncer/http \
    --with github.com/hslatman/caddy-crowdsec-bouncer/crowdsec \
    --with github.com/hslatman/caddy-crowdsec-bouncer/layer4

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

c. Service/unit/compose file:

services:
  caddy:
    image: caddy-porkbun:latest
    build: .
    container_name: caddy
    restart: unless-stopped
    security_opt:
      - label:disable
    ports:
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./config:/etc/caddy
      - ./logs:/logs
      - /etc/localtime:/etc/localtime:ro
    cap_add:
      - NET_ADMIN
    networks:
      - valinor

networks:
  valinor:
    external: true

francislavoie · October 10, 2024, 10:28am

I don’t understand the question. There’s no such thing as “global directives” so I’m not sure what you’re referring to. What do you mean by “sits within its own block”? Technically a snippet is a block.

Can’t you just copy the snippet contents to inside the handle? What’s the problem with that?

James_Grande · October 10, 2024, 10:34am

I didn’t want to guess, that’s the problem, and I wasn’t sure where to put it. But I’ll try. Thanks.

EDIT: In case someone else is in my shoes, here’s what I ended up with:

*.mydomain.com {
    ## Vaultwarden
	@vaultwarden host vault.mydomain.com 
	handle @vaultwarden {
		
               @admin {
		     path /admin*
	             not remote_ip private_ranges
	        }
	        redir @admin /

		header {
			# Enable HTTP Strict Transport Security (HSTS)
			Strict-Transport-Security "max-age=31536000;"
			# Disable cross-site filter (XSS)
			X-XSS-Protection "0"
			#	# Disallow the site to be rendered within a frame (clickjacking protection)
			X-Frame-Options "SAMEORIGIN"
			# Prevent search engines from indexing (optional)
			X-Robots-Tag "noindex, nofollow"
			# Disallow sniffing of X-Content-Type-Options
			X-Content-Type-Options "nosniff"
			# Server name removing
			-Server
			# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
			-X-Powered-By
			# Remove Last-Modified because etag is the same and is as effective
			-Last-Modified
		}
		route {
			crowdsec
			reverse_proxy http://vaultwarden {
				header_up X-Real-IP {remote_host}
			}
		}
	}
}

system · November 9, 2024, 10:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.