diff --git a/examples/config/config.yml b/examples/config/config.yml new file mode 100644 index 00000000..637d7b6c --- /dev/null +++ b/examples/config/config.yml @@ -0,0 +1,97 @@ +autocert: + provider: cloudflare + email: ${CLOUDFLARE_EMAIL} + domains: # this has to match whats in the match domains section + - ${MYWILDCARD_DOMAIN} + - ${MY_DOMAIN} + options: + auth_token: ${CLOUDFLARE_TOKEN} + resolvers: + - 1.1.1.1:53 + - ${MY_INTERNAL_DNS1} + - ${MY_INTERNAL_DNS2} +acl: + default: deny # by default no one is allowed in except fo the allow list + allow_local: true + log: + stdout: true + log_allowed: true + keep: 7 days + retention: 7 days + allow: + - cidr:192.168.0.0/16 + - ip:YOUREXTERNALIP + - ip:127.0.0.1 + - cidr:172.16.0.0/12 +entrypoint: + support_proxy_protocol: false # this should be false + middlewares: + - use: real_ip # use the real ip of the origin + header: X-Real-IP + from: + - 127.0.0.1 + - 192.168.0.0/16 + - 10.0.0.0/8 + - 172.16.0.0/12 + - ${MY_EXTERNAL_CIDR} + recursive: true + - use: cidr_whitelist + allow: + - 127.0.0.1/8 + - 192.168.0.0/16 + - 10.0.0.0/8 + - 172.16.0.0/12 + - ${MY_EXTERNAL_CIDR} + status: 403 + message: "Forbidden - your IP is not allowed" + - use: RedirectHTTP + - use: ModifyResponse + set_headers: + Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD + Access-Control-Allow-Headers: "*" + Access-Control-Allow-Origin: "*" + Access-Control-Max-Age: 180 + Vary: "*" + X-XSS-Protection: 1; mode=block + Content-Security-Policy: object-src 'self'; frame-ancestors 'self' ${MY_WILDCARD_ADDRESS}; + X-Content-Type-Options: nosniff + Permissions-Policy: vibrate=(self); geolocation=(self); midi=(self); + notifications=(self); push=(self); vibrate=(self); fullscreen=(self); + microphone=(); camera=(); magnetometer=(); gyroscope=(); speaker=(); + X-Frame-Options: SAMEORIGIN + Referrer-Policy: same-origin + Strict-Transport-Security: max-age=63072000; includeSubDomains; preload + - use: rate_limit + average: 10 + burst: 20 + period: 5s + - use: custom_error_page + bypass: [] + access_log: + format: combined + path: /app/logs/entrypoint.log + stdout: true + keep: 30 days +providers: + include: + - hass.yml # my hass routing file for home assistant + docker: + local: ${DOCKER_HOST} + + # notification providers + notification: + - name: gotify + provider: gotify + token: ${GOTIFY_TOKEN} + url: ${GOTIFY_URL} + maxmind: + account_id: ${GODOXY_MAXMIND_ACCOUNT_ID} + license_key: ${GODOXY_MAXMIND_LICENSE_KEY} + database: "geolite" + agents: + - ${REMOTESERVER1} + - ${REMOTESERVER2} +homepage: + use_default_categories: true +match_domains: + - ${MY_DOMAIN} diff --git a/examples/docker-compose/adguardhome.yml b/examples/docker-compose/adguardhome.yml new file mode 100644 index 00000000..4644b6e7 --- /dev/null +++ b/examples/docker-compose/adguardhome.yml @@ -0,0 +1,125 @@ +services: + adguard: + image: adguard/adguardhome:edge + container_name: adguard + network_mode: "host" + + cap_add: + - NET_ADMIN + privileged: true + + labels: + # ------------------------------------------------------- + # GoDoxy Reverse Proxy Configuration + # ------------------------------------------------------- + # Aliases -> URLs GoDoxy will expose for this service + # Examples: + # https://adguard.yourdomain + # https://dns.yourdomain + # https://adguardhome.yourdomain + proxy.aliases: adguard,dns,adguardhome + # ------------------------------------------------------- + # Homepage Dashboard Metadata (shown in Homepage UI) + # ------------------------------------------------------- + proxy.#*.homepage: | + name: AdGuard Home + description: DNS + DHCP Server + category: Networking + icon: "@selfhst/adguard-home.svg" + # ======================================================= + # OPTIONAL: PASSWORD-PROTECT THE ADGUARD WEB UI + # ======================================================= + # → IF YOU WANT TO LOCK THE DASHBOARD BEHIND A LOGIN + # - Replace username/password with your values + # + # Explanation: + # This adds GoDoxy’s built-in basic auth middleware. + # Anyone accessing https://adguard. will be + # given a login popup BEFORE reaching AdGuard’s UI. + # + # NOTE: This is SEPARATE from AdGuard’s internal login. + # For basic_auth conditions, the password must be bcrypt hashed. Generate the hash using: + # htpasswd -nbB '' your-password | cut -c 2- + # make suer to escape any $ by writing $ twice ($$) to make it a literal $ + + proxy.#*.rules: | + - name: default + do: require_basic_auth "Restricted Area" + - name: authenticated users + on: basic_auth admin1 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2" | basic_auth admin2 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2" + do: pass + + # ======================================================= + # OPTIONAL: CUSTOM MIDDLEWARES + # ======================================================= + # Middlewares allow you to: + # - rewrite URLs + # - add headers + # - restrict access by IP + # - enforce security headers + # - throttle requests + # + # Syntax: + # proxy.middleware.: "" + # + # You can apply multiple; GoDoxy chains them automatically. + # + # --------------------------- + # Example 1: IP Whitelist + # --------------------------- + # Only allow specific LAN subnets to load the UI: + # + #proxy.middleware.ipwhitelist: | + # allow: + # - 192.168.1.0/24 + # - 192.168.10.0/24 + # + # --------------------------- + # Example 2: Add Secure Headers + # --------------------------- + #proxy.*.middleware.securityheaders: | + # X-Frame-Options: DENY + # X-Content-Type-Options: nosniff + # Referrer-Policy: no-referrer + # Permissions-Policy: accelerometer=() + # + # --------------------------- + # Example 3: Rate Limiting + # --------------------------- + # Prevent brute-force attempts / UI abuse: + # + #proxy.#*.middleware.ratelimit: | + # average: 40 + # burst: 30 + # period: 1s + # + # Enable one or all depending on what you need. + # ======================================================= + + # Host mode → ports are unnecessary (and ignored) + # ports: + # - 53:53/udp + # - 53:53/tcp + # - 67:67/udp + # - 68:68/tcp + # - 68:68/udp + # - 3000:3000/tcp + + volumes: + - ./workdir:/opt/adguardhome/work + - ./confdir:/opt/adguardhome/conf + - ./adguard_hostsfile.txt:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + + # Healthcheck to ensure WebUI is up before marking healthy + healthcheck: + test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:3000 || exit 1"] + interval: 10m + timeout: 5s + start_period: 60s + retries: 3 + + restart: unless-stopped + mem_limit: 2048m + cpus: "3.0" diff --git a/examples/docker-compose/wg-easy_wireguard_vpn b/examples/docker-compose/wg-easy_wireguard_vpn new file mode 100644 index 00000000..2460bb66 --- /dev/null +++ b/examples/docker-compose/wg-easy_wireguard_vpn @@ -0,0 +1,154 @@ +services: + wg-easy: + image: ghcr.io/wg-easy/wg-easy:latest + container_name: wg-easy + + # ------------------------------------------------------- + # Networking: + # - WireGuard tunnel uses UDP 51820 → EXPOSED (required) + # - Web UI is TCP 51821 but ONLY proxied through GoDoxy + # + # IMPORTANT: + # Do NOT use network_mode: host for VPNs unless needed. + # This keeps UI isolated and prevents leaking ports. + # ------------------------------------------------------- + ports: + - "51820:51820/udp" # Required for WireGuard + # WebUI NOT exposed directly — handled by GoDoxy only + # - "51821:51821/tcp" # ❌ REMOVE (GoDoxy handles proxying) + + environment: + - LANG=en + - WG_HOST=vpn.mydomain.com + - PASSWORD_HASH=${HASHED_PASS} + # Optional: + # - WG_PORT=51820 + # - PORT=51821 (UI internal port, do not expose) + # - WG_CONFIG_PORT=92820 + + - UI_TRAFFIC_STATS=true + - UI_CHART_TYPE=2 + - WG_ENABLE_ONE_TIME_LINKS=true + - UI_ENABLE_SORT_CLIENTS=true + - WG_DEFAULT_ADDRESS=192.168.33.x + - WG_DEFAULT_DNS=1.1.1.1 + + volumes: + - ./etc_wireguard:/etc/wireguard + + restart: unless-stopped + + cap_add: + - NET_ADMIN + - SYS_MODULE + + sysctls: + - net.ipv4.ip_forward=1 + - net.ipv4.conf.all.src_valid_mark=1 + + mem_limit: 1024m + cpus: "2.0" + + security_opt: + - no-new-privileges:true # Hardening + + # ------------------------------------------------------- + # GoDoxy Integration + # ------------------------------------------------------- + labels: + # Enable reverse proxy for Web UI ONLY + # The aliases/domains you want to access the dashboard on + proxy.aliases: | + vpn + wireguard + wgeasy + + # Internal WebUI port + proxy.#*.port: "51821" + + # SSL termination via GoDoxy + proxy.#*.scheme: https + + # Homepage metadata + proxy.#*.homepage: | + name: WG Easy VPN + description: Fast Easy VPN Server + category: Utilities + icon: "@selfhst/wireguard.svg" + + + # ===================================================== + # OPTIONAL: CUSTOM MIDDLEWARES + # ===================================================== + + # --------------------------- + # 1) IP Whitelist (OPTIONAL) + # --------------------------- + # Only allow access to the UI from a specific subnet(s): + # + #proxy.#*.middleware.ipwhitelist: | + # allow: + # - 192.168.1.0/24 + # - 10.0.0.0/8 + + # --------------------------- + # 2) Security Headers (OPTIONAL HARDENING) + # --------------------------- + # Helps with Cloudflare Zero-Trust, browser hardening, etc. + # + #proxy.#*.middleware.securityheaders: | + # X-Frame-Options: DENY + # X-Content-Type-Options: nosniff + # Referrer-Policy: no-referrer + # Permissions-Policy: accelerometer=() + # CF-Access-Client-ID: ${CF_ID} + # CF-Access-Client-Secret: ${CF_SECRET} + + # --------------------------- + # 3) Rate Limiting (OPTIONAL HARDENING) + # --------------------------- + # Protects the login page against brute force attacks + # + #proxy.#*.middleware.ratelimit: | + # average: 30 + # burst: 15 + # period: 5s + + # --------------------------- + # 4) Audit Logging (OPTIONAL LOGGING) + # --------------------------- + # Every UI access logs to stdout (GoDoxy → Loki optional) + # + #proxy.#*.middleware.auditlog: | + # enabled: true + # format: "$remote_addr accessed WG-Easy UI" + + # --------------------------- + # 5) Geo/IP Restriction (OPTIONAL GEO-LOC HARDENING) + # --------------------------- + # Requires GoDoxy GeoIP plugin (if installed) + # + #proxy.#*.middleware.geoipblock: | + # allow: + # - US + # - CA + # deny: + # - CN + # - RU + # - KP + + # ===================================================== + + + # Healthcheck for UI (OPTIONAL) + healthcheck: + test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:51821 || exit 1"] + interval: 10m + timeout: 10s + start_period: 60s + +networks: + default: + external: true + name: SHARED + diff --git a/examples/route_providers/homeassistant.yml b/examples/route_providers/homeassistant.yml new file mode 100644 index 00000000..a48c5b8a --- /dev/null +++ b/examples/route_providers/homeassistant.yml @@ -0,0 +1,8 @@ +hass: + host: 192.168.1.10 # ip address of Homeassistant Server + port: 8123 # port + homepage: + name: hass + description: Home Assistant - Home Automation + icon: @selfhst/home-assistant.svg + category: Automation