0
0
opnxng-deploy-playbook/Caddyfile

642 lines
2.5 MiB
Caddyfile
Raw Normal View History

# Ansible managed
{
admin off
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
# order rate_limit before basicauth
}
# ----------------------------------------------------------------------------------------------------
# SearXNG
{$HOSTNAME} {
log {
output discard
}
@api {
path /config
path /healthz
path /stats/errors
path /stats/checker
}
@static {
path /static/*
}
@notstatic {
not path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
Referrer-Policy "no-referrer"
X-Robots-Tag "noindex, noarchive, nofollow"
-Server
}
header @api {
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
header @notstatic {
# No Cache
Cache-Control "no-cache, no-store"
Pragma "no-cache"
}
# CSP (see http://content-security-policy.com/ )
header @imageproxy {
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}
header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
handle {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8080
to 10.0.0.214:8080
to 10.0.0.58:8080
to localhost:8080
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
}
}
# IP block range by ProjectSegfault
@spam client_ip 2400:b200:4100::/48 2400:b200:4101::/48 2400:b200:4102::/48 2400:b200:4103::/48 2401:b180:4100::/48 2404:2280:1000::/36 2404:2280:1000::/37 2404:2280:1800::/37 2404:2280:2000::/36 2404:2280:2000::/37 2404:2280:2800::/37 2404:2280:4ffe::/48 2404:2280:4fff::/48 2408:4000:1000::/48 2408:4000:1001::/48 2408:4009:500::/48 240b:4000::/32 240b:4000::/33 240b:4000:8000::/33 240b:4001::/32 240b:4001::/33 240b:4001:8000::/33 240b:4002::/32 240b:4002::/33 240b:4002:8000::/33 240b:4003:e::/48 240b:4004::/32 240b:4004::/33 240b:4004:8000::/33 240b:4005::/32 240b:4005::/33 240b:4005:8000::/33 240b:4007::/32 240b:4007::/33 240b:4007:8000::/33 240b:4007:fffd::/48 240b:4009::/32 240b:4009::/33 240b:4009:8000::/33 240b:400b::/32 240b:400b::/33 240b:400b:8000::/33 240b:400c::/32 240b:400c::/33 240b:400c::/40 240b:400c::/41 240b:400c:80::/41 240b:400c:100::/40 240b:400c:100::/41 240b:400c:180::/41 240b:400c:f00::/48 240b:400c:f01::/48 240b:400c:8000::/33 240b:400d::/32 240b:400d::/33 240b:400d:8000::/33 240b:400e::/32 240b:400e::/33 240b:400e:8000::/33 240b:400f::/32 240b:400f::/33 240b:400f:8000::/33 240b:4011::/32 240b:4011::/33 240b:4011:8000::/33 240b:4011:fffc::/48 240b:4012::/48 5.181.224.0/23 8.208.0.0/16 8.208.0.0/17 8.208.0.0/18 8.208.0.0/19 8.208.32.0/19 8.208.128.0/17 8.209.0.0/19 8.209.0.0/20 8.209.16.0/20 8.209.36.0/23 8.209.36.0/24 8.209.37.0/24 8.209.38.0/23 8.209.38.0/24 8.209.39.0/24 8.209.40.0/22 8.209.40.0/23 8.209.42.0/23 8.209.44.0/22 8.209.44.0/23 8.209.46.0/23 8.209.48.0/20 8.209.48.0/21 8.209.56.0/21 8.209.64.0/18 8.209.64.0/19 8.209.96.0/19 8.209.128.0/18 8.209.128.0/19 8.209.160.0/19 8.209.192.0/18 8.209.192.0/19 8.209.224.0/19 8.210.0.0/16 8.210.0.0/17 8.210.128.0/17 8.210.240.0/24 8.211.0.0/17 8.211.0.0/18 8.211.64.0/18 8.211.128.0/18 8.211.128.0/19 8.211.160.0/19 8.211.192.0/18 8.211.192.0/19 8.211.224.0/19 8.211.226.0/24 8.212.0.0/17 8.212.0.0/18 8.212.64.0/18 8.212.128.0/18 8.212.128.0/19 8.212.160.0/19 8.212.192.0/18 8.212.192.0/19 8.212.224.0/19 8.213.0.0/17 8.213.0.0/18 8.213.64.0/18 8.213.128.0/19 8.213.128.0/20 8.213.144.0/20 8.213.160.0/21 8.213.160.0/22 8.213.164.0/22 8.213.176.0/20 8.213.176.0/21 8.213.184.0/21 8.213.192.0/18 8.213.192.0/19 8.213.224.0/19 8.213.251.0/24 8.213.252.0/24 8.214.0.0/16 8.214.0.0/17 8.214.128.0/17 8.215.0.0/16 8.215.0.0/17 8.215.128.0/17 8.215.160.0/24 8.216.0.0/17 8.216.0.0/18 8.216.64.0/18 8.216.69.0/24 8.216.128.0/17 8.216.128.0/18 8.216.148.0/24 8.216.192.0/18 8.217.0.0/16 8.217.0.0/17 8.217.128.0/17 8.218.0.0/16 8.218.0.0/17 8.218.128.0/17 8.219.0.0/16 8.219.0.0/17 8.219.128.0/17 8.220.0.0/18 8.220.0.0/19 8.220.32.0/19 8.220.64.0/18 8.220.64.0/19 8.220.96.0/19 8.220.116.0/23 8.220.116.0/24 8.220.128.0/18 8.220.128.0/19 8.220.147.0/24 8.220.160.0/19 8.220.192.0/18 8.220.192.0/19 8.220.224.0/19 8.220.229.0/24 8.221.0.0/17 8.221.0.0/18 8.221.64.0/18 8.221.128.0/17 8.221.128.0/18 8.221.192.0/18 8.222.0.0/20 8.222.0.0/21 8.222.8.0/21 8.222.16.0/20 8.222.16.0/21 8.222.24.0/21 8.222.32.0/20 8.222.32.0/21 8.222.40.0/21 8.222.48.0/20 8.222.48.0/21 8.222.56.0/21 8.222.64.0/20 8.222.64.0/21 8.222.72.0/21 8.222.80.0/20 8.222.80.0/21 8.222.88.0/21 8.222.128.0/17 8.222.128.0/18 8.222.192.0/18 8.223.0.0/17 8.223.0.0/18 8.223.64.0/18 43.91.0.0/16 43.91.0.0/17 43.91.128.0/17 43.96.0.0/24 43.96.1.0/24 43.96.2.0/24 43.96.3.0/24 43.96.4.0/24 43.96.5.0/24 43.96.7.0/24 43.96.8.0/24 43.96.9.0/24 43.96.10.0/24 43.96.11.0/24 43.96.12.0/24 43.96.13.0/24 43.96.16.0/24 43.96.17.0/24 43.96.18.0/24 43.96.19.0/24 43.96.20.0/24 43.96.21.0/24 43.96.23.0/24 43.96.24.0/24 43.96.25.0/24 43.96.26.0/24 43.96.27.0/24 43.96.28.0/24 43.96.29.0/24 43.96.32.0/24 43.96.33.0/24 43.96.34.0/24 43.96.35.0/24 43.96.36.0/24 43.96.66.0/24 43.96.67.0/24 43.96.68.0/24 43.96.69.0/24 43.96.70.0/24 43.96.71.0/24 43.96.72.0/24 43.96.73.0/24 43.96.74.0/24 43.96.75.0/24 43.96.77.0/24 43.96.80.0/24 45.196.28.0/24 45.199.179.0/24 47.52.0.0/16 47.52.0.0/17 47.52.128.0/17 47.56.0.0/15 47.56.0.0/16 47.57.0.0/16 47.74.0.0/18 47.74.0.0/19 47.74.0.0/21 47.74.32.0/19 47.74.64.0/18 47.74.64.0/19 47.74.96.0/19 47.74.128.
respond @spam "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
# IP block range by return42
@botnet client_ip 1.1.189.58/32,1.2.199.154/32,1.4.159.152/32,1.4.195.114/32,1.9.27.218/32,1.9.167.35/32,1.9.213.114/32,1.10.233.136/32,1.12.43.111/32,1.12.251.57/32,1.13.180.56/32,1.15.47.213/32,1.15.62.12/32,1.20.91.246/32,1.20.93.219/32,1.20.169.84/32,1.20.169.193/32,1.20.227.66/32,1.23.121.124/32,1.23.121.183/32,1.23.122.247/32,1.23.136.18/32,1.23.136.126/32,1.23.192.47/32,1.23.246.68/32,1.32.59.217/32,1.34.17.51/32,1.34.42.150/32,1.34.66.135/32,1.34.92.85/32,1.34.253.81/32,1.36.190.13/32,1.36.210.127/32,1.38.167.117/32,1.40.59.151/32,1.40.118.96/32,1.41.180.181/32,1.46.144.191/32,1.46.159.90/32,1.47.147.31/32,1.52.41.224/32,1.52.61.208/32,1.52.61.241/32,1.52.65.159/32,1.52.96.131/32,1.52.114.220/32,1.52.122.26/32,1.52.124.67/32,1.52.125.31/32,1.52.193.254/32,1.52.194.33/32,1.52.194.60/32,1.52.195.70/32,1.52.196.88/32,1.52.197.137/32,1.52.197.209/32,1.52.199.43/32,1.52.206.253/32,1.52.248.134/32,1.53.4.48/32,1.53.4.202/32,1.53.6.154/32,1.53.7.33/32,1.53.15.3/32,1.53.80.108/32,1.53.81.166/32,1.53.205.18/32,1.53.205.70/32,1.53.207.100/32,1.53.211.117/32,1.53.216.75/32,1.53.217.4/32,1.53.217.42/32,1.53.217.96/32,1.53.217.164/32,1.53.217.224/32,1.53.235.165/32,1.54.196.45/32,1.54.197.50/32,1.54.208.98/32,1.54.209.8/32,1.54.250.26/32,1.55.6.18/32,1.55.100.82/32,1.55.176.200/32,1.55.178.12/32,1.55.179.40/32,1.55.180.226/32,1.55.181.144/32,1.55.191.16/32,1.55.192.188/32,1.55.193.57/32,1.55.196.147/32,1.55.196.254/32,1.55.197.106/32,1.55.198.4/32,1.55.206.68/32,1.55.206.220/32,1.55.206.233/32,1.55.207.90/32,1.64.66.62/32,1.64.70.210/32,1.64.151.16/32,1.80.138.12/32,1.80.246.171/32,1.85.33.94/32,1.94.13.82/32,1.117.80.180/32,1.120.176.171/32,1.126.107.111/32,1.127.105.134/32,1.129.106.175/32,1.145.69.248/32,1.145.108.150/32,1.159.201.19/32,1.160.1.178/32,1.160.6.135/32,1.160.7.157/32,1.160.8.83/32,1.160.9.138/32,1.160.11.106/32,1.160.12.240/32,1.160.20.150/32,1.160.25.141/32,1.160.26.187/32,1.160.28.91/32,1.160.29.136/32,1.160.34.134/32,1.160.34.193/32,1.160.35.58/32,1.160.39.89/32,1.160.42.94/32,1.160.48.109/32,1.160.90.137/32,1.160.227.74/32,1.161.4.57/32,1.161.90.96/32,1.161.130.41/32,1.161.166.34/32,1.161.215.13/32,1.162.12.220/32,1.162.89.233/32,1.162.159.157/32,1.162.162.18/32,1.163.35.92/32,1.163.149.105/32,1.163.228.12/32,1.164.20.243/32,1.164.55.117/32,1.165.76.168/32,1.165.79.21/32,1.165.147.196/32,1.165.181.22/32,1.165.223.196/32,1.165.249.155/32,1.168.69.61/32,1.168.96.102/32,1.168.116.16/32,1.168.130.238/32,1.168.132.20/32,1.168.221.5/32,1.169.85.114/32,1.169.97.136/32,1.169.115.208/32,1.169.121.206/32,1.169.186.124/32,1.170.23.62/32,1.170.34.223/32,1.170.38.229/32,1.170.73.39/32,1.170.78.67/32,1.170.96.234/32,1.170.126.206/32,1.170.181.51/32,1.171.37.96/32,1.171.133.136/32,1.171.185.107/32,1.171.228.227/32,1.172.74.79/32,1.172.131.168/32,1.172.179.179/32,1.172.225.204/32,1.172.235.46/32,1.173.27.88/32,1.173.57.169/32,1.173.158.186/32,1.173.185.207/32,1.173.187.244/32,1.173.211.61/32,1.174.0.20/32,1.174.100.23/32,1.174.119.141/32,1.174.129.216/32,1.174.166.5/32,1.174.167.125/32,1.174.195.209/32,1.174.199.46/32,1.174.199.162/32,1.174.223.114/32,1.174.228.4/32,1.175.96.251/32,1.175.105.94/32,1.175.115.19/32,1.175.183.252/32,1.175.236.224/32,1.175.241.178/32,1.179.147.5/32,1.179.148.9/32,1.179.172.45/32,1.180.49.222/32,1.187.213.80/32,1.187.214.78/32,1.194.20.104/32,1.194.21.15/32,1.194.22.6/32,1.194.23.73/32,1.194.225.18/32,1.200.25.65/32,1.200.75.24/32,1.200.114.132/32,1.202.21.228/32,1.202.197.58/32,1.224.3.122/32,1.232.179.209/32,1.234.23.159/32,1.234.63.161/32,1.254.205.56/32,2.12.248.161/32,2.30.101.121/32,2.39.54.50/32,2.45.11.71/32,2.48.201.66/32,2.49.14.168/32,2.49.74.198/32,2.49.106.199/32,2.56.24.152/32,2.56.45.37/32,2.56.45.41/32,2.56.45.52/32,2.56.45.72/32,2.56.45.88/32,2.56.45.113/32,2.56.45.146/32,2.56.45.165/32,2.56.45.166/32,2.56.45.206/31,2.56.45.217/32,2.56.91.135/32,2.56.152.15/32,2.56.164.52/32,2.56.189.73/32,2.56.189.83/32,2.56.189.91/32,2.56.189.99/32,2.56.189.105/32,2.56.189.115/32,2.56.189.121/32,2.56.189.177/32,2.56.189.185/32,2.56.190.58/32,2.56.248.1/32,2.56.248.103/32,2.57.70.134/32,2.
respond @botnet "Unfortunately, your IP is part of a range that has been involved in a botnet to our servers. If you think our action was a mistake, please email us." 403
}
# ----------------------------------------------------------------------------------------------------
# Other subdomains
*.{$HOSTNAME} {
log {
output discard
}
handle {
abort
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),usb=(),vr=()"
#sync-xhr=(),
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';usb 'none';vr 'none'"
#sync-xhr 'none';
Referrer-Policy "no-referrer"
X-Frame-Options SAMEORIGIN
-Server
}
# IP block range by ProjectSegfault
@denied client_ip 2400:b200:4100::/48 2400:b200:4101::/48 2400:b200:4102::/48 2400:b200:4103::/48 2401:b180:4100::/48 2404:2280:1000::/36 2404:2280:1000::/37 2404:2280:1800::/37 2404:2280:2000::/36 2404:2280:2000::/37 2404:2280:2800::/37 2404:2280:4ffe::/48 2404:2280:4fff::/48 2408:4000:1000::/48 2408:4000:1001::/48 2408:4009:500::/48 240b:4000::/32 240b:4000::/33 240b:4000:8000::/33 240b:4001::/32 240b:4001::/33 240b:4001:8000::/33 240b:4002::/32 240b:4002::/33 240b:4002:8000::/33 240b:4003:e::/48 240b:4004::/32 240b:4004::/33 240b:4004:8000::/33 240b:4005::/32 240b:4005::/33 240b:4005:8000::/33 240b:4007::/32 240b:4007::/33 240b:4007:8000::/33 240b:4007:fffd::/48 240b:4009::/32 240b:4009::/33 240b:4009:8000::/33 240b:400b::/32 240b:400b::/33 240b:400b:8000::/33 240b:400c::/32 240b:400c::/33 240b:400c::/40 240b:400c::/41 240b:400c:80::/41 240b:400c:100::/40 240b:400c:100::/41 240b:400c:180::/41 240b:400c:f00::/48 240b:400c:f01::/48 240b:400c:8000::/33 240b:400d::/32 240b:400d::/33 240b:400d:8000::/33 240b:400e::/32 240b:400e::/33 240b:400e:8000::/33 240b:400f::/32 240b:400f::/33 240b:400f:8000::/33 240b:4011::/32 240b:4011::/33 240b:4011:8000::/33 240b:4011:fffc::/48 240b:4012::/48 5.181.224.0/23 8.208.0.0/16 8.208.0.0/17 8.208.0.0/18 8.208.0.0/19 8.208.32.0/19 8.208.128.0/17 8.209.0.0/19 8.209.0.0/20 8.209.16.0/20 8.209.36.0/23 8.209.36.0/24 8.209.37.0/24 8.209.38.0/23 8.209.38.0/24 8.209.39.0/24 8.209.40.0/22 8.209.40.0/23 8.209.42.0/23 8.209.44.0/22 8.209.44.0/23 8.209.46.0/23 8.209.48.0/20 8.209.48.0/21 8.209.56.0/21 8.209.64.0/18 8.209.64.0/19 8.209.96.0/19 8.209.128.0/18 8.209.128.0/19 8.209.160.0/19 8.209.192.0/18 8.209.192.0/19 8.209.224.0/19 8.210.0.0/16 8.210.0.0/17 8.210.128.0/17 8.210.240.0/24 8.211.0.0/17 8.211.0.0/18 8.211.64.0/18 8.211.128.0/18 8.211.128.0/19 8.211.160.0/19 8.211.192.0/18 8.211.192.0/19 8.211.224.0/19 8.211.226.0/24 8.212.0.0/17 8.212.0.0/18 8.212.64.0/18 8.212.128.0/18 8.212.128.0/19 8.212.160.0/19 8.212.192.0/18 8.212.192.0/19 8.212.224.0/19 8.213.0.0/17 8.213.0.0/18 8.213.64.0/18 8.213.128.0/19 8.213.128.0/20 8.213.144.0/20 8.213.160.0/21 8.213.160.0/22 8.213.164.0/22 8.213.176.0/20 8.213.176.0/21 8.213.184.0/21 8.213.192.0/18 8.213.192.0/19 8.213.224.0/19 8.213.251.0/24 8.213.252.0/24 8.214.0.0/16 8.214.0.0/17 8.214.128.0/17 8.215.0.0/16 8.215.0.0/17 8.215.128.0/17 8.215.160.0/24 8.216.0.0/17 8.216.0.0/18 8.216.64.0/18 8.216.69.0/24 8.216.128.0/17 8.216.128.0/18 8.216.148.0/24 8.216.192.0/18 8.217.0.0/16 8.217.0.0/17 8.217.128.0/17 8.218.0.0/16 8.218.0.0/17 8.218.128.0/17 8.219.0.0/16 8.219.0.0/17 8.219.128.0/17 8.220.0.0/18 8.220.0.0/19 8.220.32.0/19 8.220.64.0/18 8.220.64.0/19 8.220.96.0/19 8.220.116.0/23 8.220.116.0/24 8.220.128.0/18 8.220.128.0/19 8.220.147.0/24 8.220.160.0/19 8.220.192.0/18 8.220.192.0/19 8.220.224.0/19 8.220.229.0/24 8.221.0.0/17 8.221.0.0/18 8.221.64.0/18 8.221.128.0/17 8.221.128.0/18 8.221.192.0/18 8.222.0.0/20 8.222.0.0/21 8.222.8.0/21 8.222.16.0/20 8.222.16.0/21 8.222.24.0/21 8.222.32.0/20 8.222.32.0/21 8.222.40.0/21 8.222.48.0/20 8.222.48.0/21 8.222.56.0/21 8.222.64.0/20 8.222.64.0/21 8.222.72.0/21 8.222.80.0/20 8.222.80.0/21 8.222.88.0/21 8.222.128.0/17 8.222.128.0/18 8.222.192.0/18 8.223.0.0/17 8.223.0.0/18 8.223.64.0/18 43.91.0.0/16 43.91.0.0/17 43.91.128.0/17 43.96.0.0/24 43.96.1.0/24 43.96.2.0/24 43.96.3.0/24 43.96.4.0/24 43.96.5.0/24 43.96.7.0/24 43.96.8.0/24 43.96.9.0/24 43.96.10.0/24 43.96.11.0/24 43.96.12.0/24 43.96.13.0/24 43.96.16.0/24 43.96.17.0/24 43.96.18.0/24 43.96.19.0/24 43.96.20.0/24 43.96.21.0/24 43.96.23.0/24 43.96.24.0/24 43.96.25.0/24 43.96.26.0/24 43.96.27.0/24 43.96.28.0/24 43.96.29.0/24 43.96.32.0/24 43.96.33.0/24 43.96.34.0/24 43.96.35.0/24 43.96.36.0/24 43.96.66.0/24 43.96.67.0/24 43.96.68.0/24 43.96.69.0/24 43.96.70.0/24 43.96.71.0/24 43.96.72.0/24 43.96.73.0/24 43.96.74.0/24 43.96.75.0/24 43.96.77.0/24 43.96.80.0/24 45.196.28.0/24 45.199.179.0/24 47.52.0.0/16 47.52.0.0/17 47.52.128.0/17 47.56.0.0/15 47.56.0.0/16 47.57.0.0/16 47.74.0.0/18 47.74.0.0/19 47.74.0.0/21 47.74.32.0/19 47.74.64.0/18 47.74.64.0/19 47.74.96.0/19 47.74.12
respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
@about host about.{$HOSTNAME}
handle @about {
root * /www
encode gzip
file_server
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
}
}
@www host www.{$HOSTNAME}
handle @www {
redir https://opnxng.com{uri}
}
@x host x.{$HOSTNAME}
handle @x {
redir https://opnxng.com{uri}
}
@yt host yt.{$HOSTNAME}
handle @yt {
redir https://about.opnxng.com/blog/#cloudtube
}
@n host n.{$HOSTNAME}
handle @n {
redir https://about.opnxng.com/blog/#nitter
}
@i host i.{$HOSTNAME}
handle @i {
redir https://l.opnxng.com{uri}
}
@l host l.{$HOSTNAME}
handle @l {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8882
to 10.0.0.214:8882
to 10.0.0.58:8882
to localhost:8882
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@b host b.{$HOSTNAME}
handle @b {
reverse_proxy 10.0.0.167:8884
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@git host git.{$HOSTNAME}
handle @git {
encode zstd gzip
reverse_proxy 10.0.0.58:8885
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@s host s.{$HOSTNAME}
handle @s {
encode zstd gzip
reverse_proxy 10.0.0.167:8886
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@p host p.{$HOSTNAME}
handle @p {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8887
to 10.0.0.214:8887
to 10.0.0.58:8887
to localhost:8887
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@auth host auth.{$HOSTNAME}
handle @auth {
reverse_proxy localhost:8888
}
@t host t.{$HOSTNAME}
handle @t {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8889
to 10.0.0.214:8889
to 10.0.0.58:8889
to localhost:8889
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@m host m.{$HOSTNAME}
handle @m {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8890
to 10.0.0.214:8890
to 10.0.0.58:8890
to localhost:8890
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@e host e.{$HOSTNAME}
handle @e {
encode zstd gzip
reverse_proxy 10.0.0.58:8891
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@it host it.{$HOSTNAME}
handle @it {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8892
to 10.0.0.214:8892
to 10.0.0.58:8892
to localhost:8892
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@f {
host f.{$HOSTNAME}
maxmind_geolocation {
db_path "/etc/caddy/GeoLite2-City.mmdb"
allow_countries HK
}
}
handle @f {
forward_auth localhost:8888 {
uri /api/verify?rd=https://auth.opnxng.com/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
#import trusted_proxy_list
}
encode zstd gzip
reverse_proxy 10.0.0.214:8893
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@nt host nt.{$HOSTNAME}
handle @nt {
encode zstd gzip
reverse_proxy 10.0.0.58:8894
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@v host v.{$HOSTNAME}
handle @v {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8895
to 10.0.0.214:8895
to 10.0.0.58:8895
to localhost:8895
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@bn host bn.{$HOSTNAME}
handle @bn {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8896
to 10.0.0.214:8896
to 10.0.0.58:8896
to localhost:8896
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@z host z.{$HOSTNAME}
handle @z {
encode zstd gzip
reverse_proxy 10.0.0.58:8897
header {
X-Permitted-Cross-Domain-Policies "none"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@a host a.{$HOSTNAME}
handle @a {
encode zstd gzip
reverse_proxy 10.222.0.10:8898
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@r host r.{$HOSTNAME}
handle @r {
encode zstd gzip
reverse_proxy 10.222.0.10:8899
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@g host g.{$HOSTNAME}
handle @g {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8900
to 10.0.0.214:8900
to 10.0.0.58:8900
to localhost:8900
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@c host c.{$HOSTNAME}
handle @c {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8901
to 10.0.0.214:8901
to 10.0.0.58:8901
to localhost:8901
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@o host o.{$HOSTNAME}
handle @o {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8902
to 10.0.0.214:8902
to 10.0.0.58:8902
to localhost:8902
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ph host ph.{$HOSTNAME}
handle @ph {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8903
to 10.0.0.214:8903
to 10.0.0.58:8903
to localhost:8903
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@q host q.{$HOSTNAME}
handle @q {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8904
to 10.0.0.214:8904
to 10.0.0.58:8904
to localhost:8904
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@d host d.{$HOSTNAME}
handle @d {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8905
to 10.0.0.214:8905
to 10.0.0.58:8905
to localhost:8905
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@wf host wf.{$HOSTNAME}
handle @wf {
encode zstd gzip
reverse_proxy 10.0.0.214:8906
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@tb host tb.{$HOSTNAME}
handle @tb {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8907
to 10.0.0.214:8907
to 10.0.0.58:8907
to localhost:8907
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
header_up X-Real-IP {remote_host}
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ig host ig.{$HOSTNAME}
handle @ig {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8908
to 10.0.0.214:8908
to 10.0.0.58:8908
to localhost:8908
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@tt host tt.{$HOSTNAME}
handle @tt {
encode zstd gzip
reverse_proxy {
to 10.0.0.167:8909
to 10.0.0.214:8909
to 10.0.0.58:8909
to localhost:8909
lb_policy ip_hash
lb_try_duration 5s
lb_try_interval 1s
fail_duration 30s
max_fails 3
}
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
@ti host ti.{$HOSTNAME}
handle @ti {
encode zstd gzip
reverse_proxy 10.222.0.10:8910
header {
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
}
}
}
# ----------------------------------------------------------------------------------------------------
# Breezewiki redirect to handle subdomain.fandom.com
*.z.{$HOSTNAME} {
@fandom host *.z.{$HOSTNAME}
redir https://z.opnxng.com/{labels.3}{uri}
header {
X-Permitted-Cross-Domain-Policies "none"
X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
Referrer-Policy "no-referrer"
X-Frame-Options SAMEORIGIN
-Server
}
log {
output discard
}
handle {
abort
}
}
# ----------------------------------------------------------------------------------------------------
# Imgin redirect to handle i.imgur.com
i.r.{$HOSTNAME} {
handle {
redir https://r.opnxng.com{uri}
}
log {
output discard
}
handle {
abort
}
}