diff --git a/README.md b/README.md index 3523e69..b66a57c 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ N/A If you only want to install Caddy, you don't need to set any variables. If you want to configure Caddy as a reverse proxy as well, you can provide an array of objects named `caddy_sites` with the following values: * `additional_forwarding_ports`: Allows to define a list with additional ports where Caddy should listen for this domain and forward to HTTPS. -* `allowlist`: An array if IP addresses in CIDR-notation which are allowed to access this route (Optional). All other visitors receive a 404 error. +* `allowlist`: An array if IP addresses in CIDR-notation which are allowed to access this site (Optional). All other visitors receive a 404 error. * `certificate_file`: You can set this variable if you want to provide the certificate by yourself (Optional). The certificate needs permissions `0640`, with root as Owner and Caddy as Group. * `certificate_key`: You can set this variable if you want to provide the certificate by yourself (Optional). * `domain`: The domain caddy should listen to. @@ -67,15 +67,14 @@ With reverse proxy configuration and redirects: vars: caddy_sites: - domain: example.com - tls_insecure: true routes: - path: '' reverse_proxy_destination: 192.168.50.2 - allowlist: - - 8.8.8.8/32 redirects: - source: '' target: '/' + allowlist: + - 8.8.8.8/32 additional_forwarding_ports: - '8080' - '1337' diff --git a/molecule/reverse-proxy/converge.yml b/molecule/reverse-proxy/converge.yml index 71a5fa4..30ff6a8 100644 --- a/molecule/reverse-proxy/converge.yml +++ b/molecule/reverse-proxy/converge.yml @@ -9,18 +9,17 @@ vars: caddy_sites: - domain: example.com - tls_insecure: false routes: - path: '' reverse_proxy_destination: 192.168.50.2 - allowlist: - - 8.8.8.8/32 redirects: - source: '' target: / - source: '/about-us' target: '/about' code: 401 + allowlist: + - 8.8.8.8/32 additional_forwarding_ports: - '8080' - '1337' @@ -34,10 +33,8 @@ - path: '/public/*' ignore_allowlist: true reverse_proxy_destination: 192.168.50.3 - allowlist: - - 8.8.8.8/32 - path: '/protected/*' strip_prefix: true reverse_proxy_destination: 192.168.50.4 - allowlist: - - 8.8.8.8/32 + allowlist: + - 8.8.8.8/32 diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2 index 41b2b47..c065baf 100644 --- a/templates/Caddyfile.j2 +++ b/templates/Caddyfile.j2 @@ -5,17 +5,15 @@ {% for site in caddy_sites %} {{ site.domain }} { - {% for route in site.routes %} - {%- if route.allowlist is defined%} - @allowlist{{loop.index}} { - remote_ip {% for ip in route.allowlist %} {{ ip }}{% endfor %} + {%- if site.allowlist is defined %} + @allowlist { + remote_ip {% for ip in site.allowlist %} {{ ip }}{% endfor %} } - @not_allowlist{{loop.index}} { - not remote_ip {% for ip in route.allowlist %} {{ ip }}{% endfor %} + @not_allowlist { + not remote_ip {% for ip in site.allowlist %} {{ ip }}{% endfor %} } {% endif %} - {% endfor %} {%- if site.additional_template_path is defined %} {% include site.additional_template_path %} @@ -33,19 +31,11 @@ {%- else %} handle {{ route.path }} { {%- endif %} - {%- if route.allowlist is defined and not (route.ignore_allowlist| default(false)) %} - reverse_proxy @allowlist{{loop.index}} {{ route.reverse_proxy_destination }}{%- if site.tls_insecure%} { - transport http { - tls_insecure_skip_verify - } - }{%- endif %} - respond @not_allowlist{{loop.index}} 404 + {%- if site.allowlist is defined and not (route.ignore_allowlist| default(false)) %} + reverse_proxy @allowlist {{ route.reverse_proxy_destination }} + respond @not_allowlist 404 {%- else %} - reverse_proxy {{ route.reverse_proxy_destination }}{%- if site.tls_insecure%} { - transport http { - tls_insecure_skip_verify - } - }{%- endif %} + reverse_proxy {{ route.reverse_proxy_destination }} {%- endif %} } {%- endfor %}