xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

block non-cloudflare on base site too

Browse source
This commit is contained in:
xunuwu 2025-05-20 19:45:23 +02:00
parent 05a8ed91cb
commit 74d85dac8e
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
sys/machines/hopper/lab/caddy.nix
View file

@ -23,12 +23,15 @@ in {
enable = true;
globalConfig = "metrics";
virtualHosts = let
blockNonCloudflare = ''
@blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
respond @blocked "Access only allowed through cloudflare" 403
'';
mkPublicEntry = name: destination: {
useACMEHost = domain;
hostName = "${name}.${domain}:${toString caddyPort}";
extraConfig = ''
@blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
respond @blocked "Access only allowed through cloudflare" 403
${blockNonCloudflare}
reverse_proxy {
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
to ${destination}
@ -56,6 +59,7 @@ in {
useACMEHost = domain;
hostName = "${domain}:${toString caddyPort}";
extraConfig = ''
${blockNonCloudflare}
root * ${inputs.own-website.packages.${pkgs.system}.default}
file_server
'';