minio_azure_container_app/Caddyfile at main · meshcloud/minio_azure_container_app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
{
    order coraza_waf first
    auto_https disable_redirects
}

# --- WAF for MinIO UI (port 8080) ---
:8080 {
    handle /health {
        respond "WAF-UI-OK" 200
    }

    # Handle WebSocket paths without WAF
    handle /ws/* {
        reverse_proxy minio:9001 {
            header_up Host {http.request.host}
            header_up X-Real-IP {remote}
            header_up X-Forwarded-For {remote}
            header_up X-Forwarded-Proto {scheme}
            header_up Connection {http.request.header.connection}
            header_up Upgrade {http.request.header.upgrade}
            header_up Sec-WebSocket-Key {http.request.header.sec-websocket-key}
            header_up Sec-WebSocket-Version {http.request.header.sec-websocket-version}
            transport http {
                read_timeout 300s
                dial_timeout 300s
            }
        }
    }

    route {
        coraza_waf {
          load_owasp_crs
            directives `
                SecAction "id:1,phase:1,pass,nolog,initcol:tx=tx"
                SecAction "id:2,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:1003,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
                SecRule TX:bucket_ops "@gt 50" "id:1004,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'"
            `
        }

        reverse_proxy minio:9001 {
            header_up Host {http.request.host}
            header_up X-Real-IP {remote}
            header_up X-Forwarded-For {remote}
            header_up X-Forwarded-Proto {scheme}
            header_up Connection {http.request.header.connection}
            header_up Upgrade {http.request.header.upgrade}
            header_up Sec-WebSocket-Key {http.request.header.sec-websocket-key}
            header_up Sec-WebSocket-Version {http.request.header.sec-websocket-version}
            transport http {
                read_timeout 300s
                dial_timeout 300s
            }
        }
    }

    log {
        output stdout
        format json
        level INFO
    }
}

# --- Keycloak Proxy HTTP (port 8082) ---
:8082 {
    reverse_proxy keycloak:8083 {
        header_up Host localhost:8082
        header_up X-Real-IP {remote}
        header_up X-Forwarded-Proto http
        header_up X-Forwarded-Host localhost:8082
        header_up X-Forwarded-Port 8082
    }

    log {
        output stdout
        format json
        level INFO
    }
}

# --- Keycloak Proxy HTTPS (port 8443) ---
localhost:8443 {
    tls internal

    reverse_proxy keycloak:8083 {
        header_up Host localhost:8443
        header_up X-Real-IP {remote}
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-Host localhost:8443
        header_up X-Forwarded-Port 8443
    }

    log {
        output stdout
        format json
        level INFO
    }
}

# --- WAF for MinIO API (port 8081) ---
:8081 {
    handle /health {
        respond "WAF-API-OK" 200
    }

    route {
        coraza_waf {
          load_owasp_crs
            directives `
                SecAction "id:10,phase:1,pass,nolog,initcol:tx=tx"
                SecAction "id:11,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
                SecRule REQUEST_METHOD "@streq DELETE" "id:2001,phase:1,log,msg:'DELETE operation logged'"
                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:2002,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
                SecRule TX:bucket_ops "@gt 50" "id:2003,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'"
            `
        }

        reverse_proxy minio:9000 {
            header_up Connection {http.request.header.connection}
            header_up Upgrade {http.request.header.upgrade}
        }
    }

    log {
        output stdout
        format json
        level INFO
    }
}