Open pomology opened 2 months ago
there isn't. However you can look in infrastructure_files/getting-started-with-zitadel.sh for an example.
I've modified it for my own usage:
netbird.example.net {
reverse_proxy /* netbird-dash:80
reverse_proxy /signalexchange.SignalExchange/* h2c://netbird-signal
reverse_proxy /api/* netbird-mgmt
reverse_proxy /management.ManagementService/* h2c://netbird-mgmt
header * {
Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
-Server
Referrer-Policy strict-origin-when-cross-origin
}
}
Thank you so much for pointing out that helpful source!
So then, the docker-compose.yml file would need this section added under "services":
caddy:
image: caddy
restart: unless-stopped
networks: [ netbird ]
ports:
- '443:443'
- '80:80'
volumes:
- netbird_caddy_data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
And under "volumes" add:
netbird_caddy_data:
Besides that, are there any other config changes you made for caddy to work?
Thank you so much for your help! I really appreciate your input.
Thank you so much for pointing out that helpful source!
So then, the docker-compose.yml file would need this section added under "services":
caddy: image: caddy restart: unless-stopped networks: [ netbird ] ports: - '443:443' - '80:80' volumes: - netbird_caddy_data:/data - ./Caddyfile:/etc/caddy/Caddyfile
And under "volumes" add:
netbird_caddy_data:
Besides that, are there any other config changes you made for caddy to work?
Thank you so much for your help! I really appreciate your input.
Is this conf working with caddy ?
@sfnemis As far as the Compose file, yes that works with Caddy. I've pasted my sanitized Compose file below. I also pasted the CaddyFile config I'm using. Everything is working with this setup, except that all my peers are getting an identical private IP set as their "Public IP" (like 10.89.1.53). I'm not sure why, and I have an open bug submission here on it. Anyway, here's what I've got so far! I'll post again when we get the IP issue figured out.
Here is my Caddyfile, from NetBird's default configs:
{
debug
servers :80,:443 {
protocols h1 h2c
}
}
(security_headers) {
header * {
Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
-Server
Referrer-Policy strict-origin-when-cross-origin
}
}
:80, REDACTED.REDACTED.com:443 {
import security_headers
reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
reverse_proxy /api/* management:80
reverse_proxy /management.ManagementService/* h2c://management:80
reverse_proxy /* dashboard:80
}
And here's my compose.yml, again just built on NetBird's default:
version: "3"
services:
# Caddy reverse proxy
caddy:
image: caddy:latest
restart: unless-stopped
networks:
- netbird
ports:
- '443:443'
- '80:80'
volumes:
- netbird_caddy_data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
#UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
networks:
- netbird
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://REDACTED.REDACTED.com:443
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://REDACTED.REDACTED.com:443
# OIDC
- AUTH_AUDIENCE=REDACTED
- AUTH_CLIENT_ID=REDACTED
- AUTH_CLIENT_SECRET=
- AUTH_AUTHORITY=https://REDACTED.okta.com
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email
- AUTH_REDIRECT_URI=/auth
- AUTH_SILENT_REDIRECT_URI=/silent-auth
- NETBIRD_TOKEN_SOURCE=idToken
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
networks:
- netbird
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
networks:
- netbird
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- ./management.json:/etc/netbird/management.json
command: [
"--port", "80",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=REDACTED.REDACTED.com",
"--dns-domain=netbird.selfhosted",
"--idp-sign-key-refresh-enabled"
]
# Coturn
coturn:
image: coturn/coturn:latest
restart: unless-stopped
domainname: REDACTED.REDACTED.com
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird_caddy_data:
networks:
netbird:
Maybe it helps somebody Using Azure AD as IdP and the Safari Browser i got the error AADSTS50011: The reply url specified in the request does not match the reply because Safari calles /auth using http. I added a rule catching all http requests and redirecting /auth to https manually and also needed to do the same for the dashboard otherwise the screen would just be blank.
http://<YOUR_DOMAIN> {
@http protocol http
handle_path /auth {
redir @http https://{host}{uri} html
}
handle_path / {
redir @http https://{host}{uri}
}
}
:80, :443 {
import security_headers
reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
reverse_proxy /api/* management:80
reverse_proxy /management.ManagementService/* h2c://management:80
reverse_proxy /* dashboard:80
}
Is there a Caddy reverse-proxy template available? It would be extremely helpful to have one. Thank you!