fix: fix caddy config for prometheus and loki

templates/caddy/full/caddy/Caddyfile

@@ -5,16 +5,13 @@
   # Enable metrics for Prometheus
   metrics
 
-  # Console logging for Docker logs
+  # Logging - console for Docker logs and file for CrowdSec/Promtail
   log {
     level INFO
     format console
-  }
+    output file /var/log/caddy/access.log {
-
+      format json
-  # Access logs for CrowdSec and Promtail
+    }
-  log {
-    output file /var/log/caddy/access.log
-    format json
   }
 
   # Allow CrowdSec globally

templates/caddy/full/caddy/sites-enabled/loki.Caddyfile

@@ -0,0 +1,31 @@
+# Loki API endpoint for external Grafana/API access
+your_logging_domain {
+  # Basic auth for Loki path
+  basic_auth {
+    loki {$LOKI_PASSWORD}
+  }
+
+  # Only allow Loki API endpoints that Grafana needs
+  @allowed_endpoints {
+    path /api/v1/*
+    path /loki/api/v1/*
+    path /ready
+    path /metrics
+  }
+
+  # Block everything else (UI, admin endpoints, etc.)
+  handle {
+    @blocked {
+      not path /api/v1/*
+      not path /loki/api/v1/*
+      not path /ready
+      not path /metrics
+    }
+    respond @blocked "API access only" 403
+  }
+
+  # Forward only allowed endpoints (no WAF needed for API)
+  handle @allowed_endpoints {
+    reverse_proxy * http://loki:3100
+  }
+}

templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile

@@ -1,35 +1,28 @@
-# Prometheus API endpoint for external Grafana access via IP
+# Prometheus API endpoint for external Grafana access
-# Access via: https://YOUR_SERVER_IP/prometheus/
+your_monitoring_domain {
-:443 {
+  basic_auth {
-  # Basic auth for Prometheus path
+    prometheus {$PROMETHEUS_PASSWORD}
-  handle_path /prometheus/* {
-    basic_auth {
-      prometheus {$PROMETHEUS_PASSWORD}
-    }
-
-    # Only allow Prometheus API endpoints that Grafana needs
-    @allowed_endpoints {
-      path /api/v1/*
-      path /federate
-      path /metrics
-    }
-
-    # Block everything else (UI, admin endpoints, etc.)
-    handle {
-      @blocked {
-        not path /api/v1/*
-        not path /federate
-        not path /metrics
-      }
-      respond @blocked "API access only" 403
-    }
-
-    # Forward only allowed endpoints (no WAF needed for API)
-    handle @allowed_endpoints {
-      reverse_proxy * http://prometheus:9090
-    }
   }
 
-  # Default response for other paths
+  # Only allow Prometheus API endpoints that Grafana needs
-  respond "Server monitoring" 200
+  @allowed_endpoints {
+    path /api/v1/*
+    path /federate
+    path /metrics
+  }
+
+  # Block everything else (UI, admin endpoints, etc.)
+  handle {
+    @blocked {
+      not path /api/v1/*
+      not path /federate
+      not path /metrics
+    }
+    respond @blocked "API access only" 403
+  }
+
+  # Forward only allowed endpoints (no WAF needed for API)
+  handle @allowed_endpoints {
+    reverse_proxy * prometheus:9090
+  }
 }

templates/caddy/full/docker-compose.yml

@@ -22,6 +22,8 @@ services:
       - "443:443"
     environment:
       - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
+      - PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD}
+      - LOKI_PASSWORD=${LOKI_PASSWORD}
     volumes:
       - ../../deploy/static:/srv/static # Your static files location
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile