roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0c48fc25e7f1e7d6c34bb878070972d705ead918
pic/config/caddy/Caddyfile
T
roof 53c7661812 feat: per-peer access enforcement, live peer status, auto IP assignment 
Server-side access control:
- firewall_manager.py: per-peer iptables FORWARD rules in WireGuard container;
  virtual IPs on Caddy (172.20.0.21-24) for per-service DROP/ACCEPT targeting
- CoreDNS Corefile regenerated with ACL blocks for blocked services per peer
- POST /api/wireguard/apply-enforcement re-applies rules after WireGuard restart;
  wg0.conf PostUp calls it via curl so rules restore automatically on container start

WireGuard fixes:
- _syncconf uses `wg set peer` instead of `wg syncconf` to avoid resetting ListenPort
- add_peer validates AllowedIPs must be /32 — rejects full/split tunnel CIDRs that
  would route internet or LAN traffic to that peer
- _config_file() checks for linuxserver wg_confs/ subdirectory first

UI:
- Peers page fetches /api/wireguard/peers/statuses for live handshake data;
  status badge now shows real Online/Offline + seconds since last handshake
- IP field removed from Add Peer form (auto-assigned from 10.0.0.0/24)

Tests (246 pass):
- test_firewall_manager.py: 22 tests for ACL generation, iptables rule correctness,
  comment tagging, clear_peer_rules filter logic
- test_peer_wg_integration.py: 10 tests for /32 enforcement, IP auto-assignment,
  syncconf called on add/remove
- test_wireguard_manager.py: updated to reflect correct IPs and /32 requirement

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 01:01:07 -04:00

54 lines
1.1 KiB
Caddyfile
Raw Blame History

{
auto_https off
}
# Main cell domain — no service-IP restriction needed
http://mycell.cell, http://172.20.0.2:80 {
handle /api/* {
reverse_proxy cell-api:3000
}
handle /calendar* {
reverse_proxy cell-radicale:5232
}
handle /files* {
reverse_proxy cell-filegator:8080
}
handle /webmail* {
reverse_proxy cell-rainloop:8888
}
handle {
reverse_proxy cell-webui:80
}
}
# Per-service virtual IPs — each gets its own IP so iptables can target them
http://calendar.cell, http://172.20.0.21:80 {
reverse_proxy cell-radicale:5232
}
http://files.cell, http://172.20.0.22:80 {
reverse_proxy cell-filegator:8080
}
http://mail.cell, http://webmail.cell, http://172.20.0.23:80 {
reverse_proxy cell-rainloop:8888
}
http://webdav.cell, http://172.20.0.24:80 {
reverse_proxy cell-webdav:80
}
http://api.cell {
reverse_proxy cell-api:3000
}
# Catch-all for direct IP / localhost
:80 {
handle /api/* {
reverse_proxy cell-api:3000
}
handle {
reverse_proxy cell-webui:80
}
}
Reference in New Issue View Git Blame Copy Permalink