diff --git a/templates/caddy/full/caddy/Caddyfile b/templates/caddy/full/caddy/Caddyfile index ca8bce6..6db38a8 100644 --- a/templates/caddy/full/caddy/Caddyfile +++ b/templates/caddy/full/caddy/Caddyfile @@ -5,16 +5,13 @@ # Enable metrics for Prometheus metrics - # Console logging for Docker logs + # Logging - console for Docker logs and file for CrowdSec/Promtail log { level INFO format console - } - - # Access logs for CrowdSec and Promtail - log { - output file /var/log/caddy/access.log - format json + output file /var/log/caddy/access.log { + format json + } } # Allow CrowdSec globally diff --git a/templates/caddy/full/caddy/sites-enabled/loki.Caddyfile b/templates/caddy/full/caddy/sites-enabled/loki.Caddyfile new file mode 100644 index 0000000..49e0970 --- /dev/null +++ b/templates/caddy/full/caddy/sites-enabled/loki.Caddyfile @@ -0,0 +1,31 @@ +# Loki API endpoint for external Grafana/API access +your_logging_domain { + # Basic auth for Loki path + basic_auth { + loki {$LOKI_PASSWORD} + } + + # Only allow Loki API endpoints that Grafana needs + @allowed_endpoints { + path /api/v1/* + path /loki/api/v1/* + path /ready + path /metrics + } + + # Block everything else (UI, admin endpoints, etc.) + handle { + @blocked { + not path /api/v1/* + not path /loki/api/v1/* + not path /ready + not path /metrics + } + respond @blocked "API access only" 403 + } + + # Forward only allowed endpoints (no WAF needed for API) + handle @allowed_endpoints { + reverse_proxy * http://loki:3100 + } +} diff --git a/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile b/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile index 6f961e0..5e8e0e9 100644 --- a/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile +++ b/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile @@ -1,35 +1,28 @@ -# Prometheus API endpoint for external Grafana access via IP -# Access via: https://YOUR_SERVER_IP/prometheus/ -:443 { - # Basic auth for Prometheus path - handle_path /prometheus/* { - basic_auth { - prometheus {$PROMETHEUS_PASSWORD} - } - - # Only allow Prometheus API endpoints that Grafana needs - @allowed_endpoints { - path /api/v1/* - path /federate - path /metrics - } - - # Block everything else (UI, admin endpoints, etc.) - handle { - @blocked { - not path /api/v1/* - not path /federate - not path /metrics - } - respond @blocked "API access only" 403 - } - - # Forward only allowed endpoints (no WAF needed for API) - handle @allowed_endpoints { - reverse_proxy * http://prometheus:9090 - } +# Prometheus API endpoint for external Grafana access +your_monitoring_domain { + basic_auth { + prometheus {$PROMETHEUS_PASSWORD} } - # Default response for other paths - respond "Server monitoring" 200 -} \ No newline at end of file + # Only allow Prometheus API endpoints that Grafana needs + @allowed_endpoints { + path /api/v1/* + path /federate + path /metrics + } + + # Block everything else (UI, admin endpoints, etc.) + handle { + @blocked { + not path /api/v1/* + not path /federate + not path /metrics + } + respond @blocked "API access only" 403 + } + + # Forward only allowed endpoints (no WAF needed for API) + handle @allowed_endpoints { + reverse_proxy * prometheus:9090 + } +} diff --git a/templates/caddy/full/docker-compose.yml b/templates/caddy/full/docker-compose.yml index bf287e2..160d465 100644 --- a/templates/caddy/full/docker-compose.yml +++ b/templates/caddy/full/docker-compose.yml @@ -22,6 +22,8 @@ services: - "443:443" environment: - CROWDSEC_API_KEY=${CROWDSEC_API_KEY} + - PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD} + - LOKI_PASSWORD=${LOKI_PASSWORD} volumes: - ../../deploy/static:/srv/static # Your static files location - ./caddy/Caddyfile:/etc/caddy/Caddyfile