From 95f7f55ea0a31b352d2ea0f99f443b6d073ee65c Mon Sep 17 00:00:00 2001 From: Alex Denes Date: Sat, 19 Apr 2025 17:13:28 +0000 Subject: [PATCH] Integrate anubis for gitea --- redxen.eu/daemons/anubis/Containerfile | 7 +++++++ redxen.eu/daemons/anubis/botPolicy.json | 24 ++++++++++++++++++++++++ redxen.eu/daemons/gitea/base/config.ini | 1 + redxen.eu/daemons/haproxy/main.cfg | 5 ++++- 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 redxen.eu/daemons/anubis/Containerfile create mode 100644 redxen.eu/daemons/anubis/botPolicy.json diff --git a/redxen.eu/daemons/anubis/Containerfile b/redxen.eu/daemons/anubis/Containerfile new file mode 100644 index 0000000..8eae58f --- /dev/null +++ b/redxen.eu/daemons/anubis/Containerfile @@ -0,0 +1,7 @@ +FROM ghcr.io/techarohq/anubis + +ENV \ + METRICS_BIND=:9103 \ + SERVE_ROBOTS_TXT=true + +ADD botPolicy.json /data/cfg/botPolicy.json diff --git a/redxen.eu/daemons/anubis/botPolicy.json b/redxen.eu/daemons/anubis/botPolicy.json new file mode 100644 index 0000000..e2a1244 --- /dev/null +++ b/redxen.eu/daemons/anubis/botPolicy.json @@ -0,0 +1,24 @@ +{ + "bots": [ + { + "name": "well-known", + "path_regex": "^/.well-known/.*$", + "action": "ALLOW" + }, + { + "name": "favicon", + "path_regex": "^/favicon.ico$", + "action": "ALLOW" + }, + { + "name": "robots-txt", + "path_regex": "^/robots.txt$", + "action": "ALLOW" + }, + { + "name": "generic-browser", + "user_agent_regex": "Mozilla", + "action": "CHALLENGE" + } + ] +} diff --git a/redxen.eu/daemons/gitea/base/config.ini b/redxen.eu/daemons/gitea/base/config.ini index c4f0e28..efade1e 100644 --- a/redxen.eu/daemons/gitea/base/config.ini +++ b/redxen.eu/daemons/gitea/base/config.ini @@ -73,6 +73,7 @@ INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token IMPORT_LOCAL_PATHS = false PASSWORD_COMPLEXITY = lower,upper,digit PASSWORD_CHECK_PWN = true +REVERSE_PROXY_TRUSTED_PROXIES = fd08::/48,10.30.0.0/16,fd09::/108,10.31.0.0/16 [service] DISABLE_REGISTRATION = true diff --git a/redxen.eu/daemons/haproxy/main.cfg b/redxen.eu/daemons/haproxy/main.cfg index 1ba1a38..f54098b 100644 --- a/redxen.eu/daemons/haproxy/main.cfg +++ b/redxen.eu/daemons/haproxy/main.cfg @@ -95,6 +95,9 @@ frontend http # Static ACME challenge http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' } + # Real IP + http-request set-header X-REAL-IP %[src] + http-response set-header X-Forwarded-Proto https http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-Content-Type-Options nosniff @@ -144,7 +147,7 @@ backend backend-stats backend backend-git server-template gitea 1 _http._tcp.gitea-sv.redxen.svc.cluster.local option httpchk GET / HTTP/1.1 - http-check send hdr Host git.redxen.eu + http-check send hdr Host git.redxen.eu hdr X-Real-IP "::1" timeout check 10s backend backend-btdown