fix: fix caddy config for prometheus and loki

2026-02-14 13:16:17 +00:00 · 2025-07-10 02:21:18 -03:00
parent 7cd8095663
commit 379bdefea7
4 changed files with 63 additions and 40 deletions
--- a/templates/caddy/full/caddy/Caddyfile
+++ b/templates/caddy/full/caddy/Caddyfile
@@ -5,16 +5,13 @@
  # Enable metrics for Prometheus
  metrics

-  # Console logging for Docker logs
+  # Logging - console for Docker logs and file for CrowdSec/Promtail
  log {
    level INFO
    format console
-  }
-
-  # Access logs for CrowdSec and Promtail
-  log {
-    output file /var/log/caddy/access.log
-    format json
+    output file /var/log/caddy/access.log {
+      format json
+    }
  }

  # Allow CrowdSec globally
--- a/templates/caddy/full/caddy/sites-enabled/loki.Caddyfile
+++ b/templates/caddy/full/caddy/sites-enabled/loki.Caddyfile
@@ -0,0 +1,31 @@
+# Loki API endpoint for external Grafana/API access
+your_logging_domain {
+  # Basic auth for Loki path
+  basic_auth {
+    loki {$LOKI_PASSWORD}
+  }
+
+  # Only allow Loki API endpoints that Grafana needs
+  @allowed_endpoints {
+    path /api/v1/*
+    path /loki/api/v1/*
+    path /ready
+    path /metrics
+  }
+
+  # Block everything else (UI, admin endpoints, etc.)
+  handle {
+    @blocked {
+      not path /api/v1/*
+      not path /loki/api/v1/*
+      not path /ready
+      not path /metrics
+    }
+    respond @blocked "API access only" 403
+  }
+
+  # Forward only allowed endpoints (no WAF needed for API)
+  handle @allowed_endpoints {
+    reverse_proxy * http://loki:3100
+  }
+}
--- a/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile
+++ b/templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile
@@ -1,35 +1,28 @@
-# Prometheus API endpoint for external Grafana access via IP
-# Access via: https://YOUR_SERVER_IP/prometheus/
-:443 {
-  # Basic auth for Prometheus path
-  handle_path /prometheus/* {
-    basic_auth {
-      prometheus {$PROMETHEUS_PASSWORD}
-    }
-
-    # Only allow Prometheus API endpoints that Grafana needs
-    @allowed_endpoints {
-      path /api/v1/*
-      path /federate
-      path /metrics
-    }
-
-    # Block everything else (UI, admin endpoints, etc.)
-    handle {
-      @blocked {
-        not path /api/v1/*
-        not path /federate
-        not path /metrics
-      }
-      respond @blocked "API access only" 403
-    }
-
-    # Forward only allowed endpoints (no WAF needed for API)
-    handle @allowed_endpoints {
-      reverse_proxy * http://prometheus:9090
-    }
+# Prometheus API endpoint for external Grafana access
+your_monitoring_domain {
+  basic_auth {
+    prometheus {$PROMETHEUS_PASSWORD}
  }

-  # Default response for other paths
-  respond "Server monitoring" 200
-}
+  # Only allow Prometheus API endpoints that Grafana needs
+  @allowed_endpoints {
+    path /api/v1/*
+    path /federate
+    path /metrics
+  }
+
+  # Block everything else (UI, admin endpoints, etc.)
+  handle {
+    @blocked {
+      not path /api/v1/*
+      not path /federate
+      not path /metrics
+    }
+    respond @blocked "API access only" 403
+  }
+
+  # Forward only allowed endpoints (no WAF needed for API)
+  handle @allowed_endpoints {
+    reverse_proxy * prometheus:9090
+  }
+}