add tor.alogins.net to Caddy reference
275
Network.md
275
Network.md
@@ -1,137 +1,138 @@
|
|||||||
# Network
|
# Network
|
||||||
|
|
||||||
## Netplan (bridge)
|
## Netplan (bridge)
|
||||||
|
|
||||||
Edit `/etc/netplan/50-cloud-init.yaml`:
|
Edit `/etc/netplan/50-cloud-init.yaml`:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
network:
|
network:
|
||||||
bridges:
|
bridges:
|
||||||
br0:
|
br0:
|
||||||
interfaces: [enp4s0]
|
interfaces: [enp4s0]
|
||||||
dhcp4: true
|
dhcp4: true
|
||||||
version: 2
|
version: 2
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo netplan apply
|
sudo netplan apply
|
||||||
```
|
```
|
||||||
|
|
||||||
> MAC address changes after bridge setup — router may assign a new IP.
|
> MAC address changes after bridge setup — router may assign a new IP.
|
||||||
> Interface name (`enp4s0`) may differ after hardware changes — check with `ip link show`.
|
> Interface name (`enp4s0`) may differ after hardware changes — check with `ip link show`.
|
||||||
|
|
||||||
## Caddy (reverse proxy)
|
## Caddy (reverse proxy)
|
||||||
|
|
||||||
[Install](https://caddyserver.com/docs/install#debian-ubuntu-raspbian) | [Docs](https://caddyserver.com/docs/getting-started)
|
[Install](https://caddyserver.com/docs/install#debian-ubuntu-raspbian) | [Docs](https://caddyserver.com/docs/getting-started)
|
||||||
|
|
||||||
Config: `/etc/caddy/Caddyfile`
|
Config: `/etc/caddy/Caddyfile`
|
||||||
|
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
servers {
|
servers {
|
||||||
protocols h1 h2
|
protocols h1 h2
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
haos.alogins.net {
|
haos.alogins.net {
|
||||||
reverse_proxy http://192.168.1.141:8123 {
|
reverse_proxy http://192.168.1.141:8123 {
|
||||||
header_up X-Forwarded-For {remote_host}
|
header_up X-Forwarded-For {remote_host}
|
||||||
header_up X-Forwarded-Proto {scheme}
|
header_up X-Forwarded-Proto {scheme}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
vi.alogins.net { reverse_proxy localhost:2283 }
|
vi.alogins.net { reverse_proxy localhost:2283 }
|
||||||
doc.alogins.net { reverse_proxy localhost:11001 }
|
doc.alogins.net { reverse_proxy localhost:11001 }
|
||||||
zb.alogins.net { reverse_proxy localhost:81 }
|
zb.alogins.net { reverse_proxy localhost:81 }
|
||||||
git.alogins.net { reverse_proxy localhost:3000 }
|
git.alogins.net { reverse_proxy localhost:3000 }
|
||||||
ai.alogins.net { reverse_proxy localhost:3125 }
|
ai.alogins.net { reverse_proxy localhost:3125 }
|
||||||
ntfy.alogins.net { reverse_proxy localhost:8840 }
|
ntfy.alogins.net { reverse_proxy localhost:8840 }
|
||||||
vw.alogins.net { reverse_proxy localhost:8041 }
|
vw.alogins.net { reverse_proxy localhost:8041 }
|
||||||
|
tor.alogins.net { reverse_proxy localhost:8085 }
|
||||||
wiki.alogins.net {
|
|
||||||
reverse_proxy localhost:8083 {
|
wiki.alogins.net {
|
||||||
header_up Host {http.request.host}
|
reverse_proxy localhost:8083 {
|
||||||
header_up X-Forwarded-Proto {scheme}
|
header_up Host {http.request.host}
|
||||||
header_up X-Real-IP {remote_host}
|
header_up X-Forwarded-Proto {scheme}
|
||||||
}
|
header_up X-Real-IP {remote_host}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
nn.alogins.net { reverse_proxy localhost:5678 }
|
|
||||||
ds.alogins.net { reverse_proxy localhost:3974 }
|
nn.alogins.net { reverse_proxy localhost:5678 }
|
||||||
|
ds.alogins.net { reverse_proxy localhost:3974 }
|
||||||
openpi.alogins.net {
|
|
||||||
root * /home/alvis/tmp/files/pi05_droid
|
openpi.alogins.net {
|
||||||
file_server browse
|
root * /home/alvis/tmp/files/pi05_droid
|
||||||
}
|
file_server browse
|
||||||
|
}
|
||||||
# VPN proxy (3X-UI)
|
|
||||||
vui3.alogins.net {
|
# VPN proxy (3X-UI)
|
||||||
@xhttp { path /VLSpdG9k/xht* }
|
vui3.alogins.net {
|
||||||
handle @xhttp {
|
@xhttp { path /VLSpdG9k/xht* }
|
||||||
reverse_proxy http://localhost:8445 {
|
handle @xhttp {
|
||||||
flush_interval -1
|
reverse_proxy http://localhost:8445 {
|
||||||
header_up X-Real-IP {remote_host}
|
flush_interval -1
|
||||||
transport http {
|
header_up X-Real-IP {remote_host}
|
||||||
read_timeout 0
|
transport http {
|
||||||
write_timeout 0
|
read_timeout 0
|
||||||
dial_timeout 10s
|
write_timeout 0
|
||||||
}
|
dial_timeout 10s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
reverse_proxy /gnYCNq4EbYukS5qtOe/* localhost:58959
|
}
|
||||||
respond 401
|
reverse_proxy /gnYCNq4EbYukS5qtOe/* localhost:58959
|
||||||
}
|
respond 401
|
||||||
vui4.alogins.net { reverse_proxy localhost:58959 }
|
}
|
||||||
|
vui4.alogins.net { reverse_proxy localhost:58959 }
|
||||||
# oO recommendation system — path-based routing on one domain
|
|
||||||
o.alogins.net {
|
# oO recommendation system — path-based routing on one domain
|
||||||
handle /api/* { reverse_proxy localhost:3078 }
|
o.alogins.net {
|
||||||
handle /admin* { reverse_proxy localhost:3080 }
|
handle /api/* { reverse_proxy localhost:3078 }
|
||||||
handle /mlflow* { reverse_proxy localhost:5000 } # MLflow (mlops profile)
|
handle /admin* { reverse_proxy localhost:3080 }
|
||||||
handle /airflow* { reverse_proxy localhost:8080 } # Airflow (mlops profile)
|
handle /mlflow* { reverse_proxy localhost:5000 } # MLflow (mlops profile)
|
||||||
handle { reverse_proxy localhost:3079 }
|
handle /airflow* { reverse_proxy localhost:8080 } # Airflow (mlops profile)
|
||||||
}
|
handle { reverse_proxy localhost:3079 }
|
||||||
```
|
}
|
||||||
|
```
|
||||||
```bash
|
|
||||||
sudo systemctl enable --now caddy
|
```bash
|
||||||
```
|
sudo systemctl enable --now caddy
|
||||||
|
```
|
||||||
**HTTP/3 disabled globally** — the top-level `protocols h1 h2` option forces HTTP/1.1 and HTTP/2 only. OnlyOffice editor assets stall over HTTP/3 on distant connections (Caddy aborts with `writing: timeout: no recent network activity`), which breaks the Seafile → OnlyOffice flow. HTTP/2 handles the same payloads without issue.
|
|
||||||
|
**HTTP/3 disabled globally** — the top-level `protocols h1 h2` option forces HTTP/1.1 and HTTP/2 only. OnlyOffice editor assets stall over HTTP/3 on distant connections (Caddy aborts with `writing: timeout: no recent network activity`), which breaks the Seafile → OnlyOffice flow. HTTP/2 handles the same payloads without issue.
|
||||||
### Hairpin NAT
|
|
||||||
|
### Hairpin NAT
|
||||||
The router does not support hairpin NAT — the server cannot reach its own public IP from within the LAN. Services that need to call back to a public domain from the host or from Docker containers must use local overrides.
|
|
||||||
|
The router does not support hairpin NAT — the server cannot reach its own public IP from within the LAN. Services that need to call back to a public domain from the host or from Docker containers must use local overrides.
|
||||||
Add to `/etc/hosts` on the host for any domain that needs to be reached locally:
|
|
||||||
|
Add to `/etc/hosts` on the host for any domain that needs to be reached locally:
|
||||||
```bash
|
|
||||||
# Loopback for self-hosted domains (hairpin NAT workaround)
|
```bash
|
||||||
127.0.0.1 docs.alogins.net
|
# Loopback for self-hosted domains (hairpin NAT workaround)
|
||||||
127.0.0.1 vw.alogins.net
|
127.0.0.1 docs.alogins.net
|
||||||
```
|
127.0.0.1 vw.alogins.net
|
||||||
|
```
|
||||||
For Docker containers, use `extra_hosts` in the compose file — routes to the host's Caddy via the Docker bridge gateway:
|
|
||||||
|
For Docker containers, use `extra_hosts` in the compose file — routes to the host's Caddy via the Docker bridge gateway:
|
||||||
```yaml
|
|
||||||
extra_hosts:
|
```yaml
|
||||||
- "docs.alogins.net:host-gateway"
|
extra_hosts:
|
||||||
- "office.alogins.net:host-gateway"
|
- "docs.alogins.net:host-gateway"
|
||||||
```
|
- "office.alogins.net:host-gateway"
|
||||||
|
```
|
||||||
Applied in both directions of the Seafile ⇄ OnlyOffice integration: the `seafile` container reaches `office.alogins.net` to download files after a save callback, and the `seafile-onlyoffice` container reaches `docs.alogins.net` to post callbacks. Without the extra_hosts the requests try the public IP and hang ~134s before timing out.
|
|
||||||
|
Applied in both directions of the Seafile ⇄ OnlyOffice integration: the `seafile` container reaches `office.alogins.net` to download files after a save callback, and the `seafile-onlyoffice` container reaches `docs.alogins.net` to post callbacks. Without the extra_hosts the requests try the public IP and hang ~134s before timing out.
|
||||||
**Port forwarding requirements:**
|
|
||||||
- Ports **80** and **443** forwarded on the router (source and target, remote IP empty)
|
**Port forwarding requirements:**
|
||||||
- Port **10051** forwarded for Zabbix active agent connections
|
- Ports **80** and **443** forwarded on the router (source and target, remote IP empty)
|
||||||
|
- Port **10051** forwarded for Zabbix active agent connections
|
||||||
### TLS debugging
|
|
||||||
|
### TLS debugging
|
||||||
```bash
|
|
||||||
curl -v http://yourdomain.net/.well-known/acme-challenge/test
|
```bash
|
||||||
# Expect HTTP 200
|
curl -v http://yourdomain.net/.well-known/acme-challenge/test
|
||||||
```
|
# Expect HTTP 200
|
||||||
|
```
|
||||||
## Pi-hole
|
|
||||||
|
## Pi-hole
|
||||||
LAN-wide DNS ad-blocking runs on lizacer at `192.168.1.2`. The router's DNS is set to that IP so every LAN client uses Pi-hole automatically. See [[Pi-hole]] for setup details.
|
|
||||||
|
LAN-wide DNS ad-blocking runs on lizacer at `192.168.1.2`. The router's DNS is set to that IP so every LAN client uses Pi-hole automatically. See [[Pi-hole]] for setup details.
|
||||||
|
|||||||
Reference in New Issue
Block a user