<feed xmlns='http://www.w3.org/2005/Atom'>
<title>hetzner-infra/caddy/Caddyfile, branch master</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.
</subtitle>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/'/>
<entry>
<title>Dedupe Caddyfile with snippets, sync docs with reality, add tests/check.sh</title>
<updated>2026-07-11T11:35:09+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-11T11:35:09+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=5b4aee69b4c6bf295bc44aad6171e17a0d80e63c'/>
<id>5b4aee69b4c6bf295bc44aad6171e17a0d80e63c</id>
<content type='text'>
- Caddyfile: extract repeated header blocks into (noindex)/(crawler_bypass)
  snippets (adapted JSON verified byte-identical to previous config)
- CLAUDE.md: add mosquitone-admin/microblog to repos table; document that
  proxy auth is disabled (PROXY_NO_AUTH=1) with JP-only IP filter instead
- Deploy.md/caddy/README.md: reflect all-service deploy and forward proxy
- tests/check.sh: shell/python syntax, repos.txt&lt;-&gt;hooks&lt;-&gt;sessions.txt
  consistency, app.py COMMANDS vs run-command.sh whitelist, secrets check

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- Caddyfile: extract repeated header blocks into (noindex)/(crawler_bypass)
  snippets (adapted JSON verified byte-identical to previous config)
- CLAUDE.md: add mosquitone-admin/microblog to repos table; document that
  proxy auth is disabled (PROXY_NO_AUTH=1) with JP-only IP filter instead
- Deploy.md/caddy/README.md: reflect all-service deploy and forward proxy
- tests/check.sh: shell/python syntax, repos.txt&lt;-&gt;hooks&lt;-&gt;sessions.txt
  consistency, app.py COMMANDS vs run-command.sh whitelist, secrets check

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Restrict proxy to Japan IPs using ipdeny.com CIDR list</title>
<updated>2026-07-02T15:45:51+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:45:51+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=e14f9edcb95875e2519461690915ab3e25740e96'/>
<id>e14f9edcb95875e2519461690915ab3e25740e96</id>
<content type='text'>
Downloads jp-aggregated.zone from ipdeny.com at container startup (no
account required). Falls back to open access if download fails.
Removed caddy-maxmind-geoip module (no longer needed).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Downloads jp-aggregated.zone from ipdeny.com at container startup (no
account required). Falls back to open access if download fails.
Removed caddy-maxmind-geoip module (no longer needed).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Add GeoIP Japan-only filter to forward proxy</title>
<updated>2026-07-02T15:40:17+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:40:17+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=c39ec05968656aaa893ed7e4b20b7d5f5ccbe5b5'/>
<id>c39ec05968656aaa893ed7e4b20b7d5f5ccbe5b5</id>
<content type='text'>
Uses caddy-maxmind-geoip module to restrict proxy access to JP IPs.
DB file (GeoLite2-Country.mmdb) must be placed manually on the server.
Filter is inactive when DB file is absent, allowing safe rollout.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Uses caddy-maxmind-geoip module to restrict proxy access to JP IPs.
DB file (GeoLite2-Country.mmdb) must be placed manually on the server.
Filter is inactive when DB file is absent, allowing safe rollout.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Fix HTTP proxy directive order: forward_proxy must run before redir</title>
<updated>2026-07-02T15:32:18+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:32:18+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=39d30042f0c9925ad3ba446311128c7e530680ce'/>
<id>39d30042f0c9925ad3ba446311128c7e530680ce</id>
<content type='text'>
Caddy's default directive ordering places redir before forward_proxy,
causing HTTP proxy requests to be redirected to HTTPS instead of being
forwarded. Changing order to forward_proxy before redir fixes this.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Caddy's default directive ordering places redir before forward_proxy,
causing HTTP proxy requests to be redirected to HTTPS instead of being
forwarded. Changing order to forward_proxy before redir fixes this.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Add global order option for forward_proxy directive</title>
<updated>2026-07-02T14:28:40+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T14:28:40+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=51cba70910a79e5a6c53776443054974a6343f9c'/>
<id>51cba70910a79e5a6c53776443054974a6343f9c</id>
<content type='text'>
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Move forward proxy from Squid to Caddy (port 80/443)</title>
<updated>2026-07-02T14:08:58+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T14:08:58+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=1a7b5adf8484ec0f2b6feb350b578142e186ab26'/>
<id>1a7b5adf8484ec0f2b6feb350b578142e186ab26</id>
<content type='text'>
Replace standalone Squid container with caddy-forwardproxy plugin so the
proxy shares Caddy's existing ports and TLS. HTTP on :80 and HTTPS on :443.
Auth is read from the same vpn/users.conf at Caddy startup via entrypoint.sh.
DNS: add proxy to setup-route53.py WEB_SUBDOMAINS.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace standalone Squid container with caddy-forwardproxy plugin so the
proxy shares Caddy's existing ports and TLS. HTTP on :80 and HTTPS on :443.
Auth is read from the same vpn/users.conf at Caddy startup via entrypoint.sh.
DNS: add proxy to setup-route53.py WEB_SUBDOMAINS.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Add HTTPS forward proxy service (Squid on port 8443)</title>
<updated>2026-07-02T13:58:56+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T13:58:56+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=88be3b3f503d4674d764a7265edb2d4e380ae738'/>
<id>88be3b3f503d4674d764a7265edb2d4e380ae738</id>
<content type='text'>
- proxy/: Squid container with HTTPS port, Basic auth from vpn/users.conf
- caddy/Caddyfile: add proxy.yyamashita.com block (RSA cert for compat)
- git/hooks: add proxy/deploy.sh to post-receive hook
- CLAUDE.md: document proxy setup and client config

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- proxy/: Squid container with HTTPS port, Basic auth from vpn/users.conf
- caddy/Caddyfile: add proxy.yyamashita.com block (RSA cert for compat)
- git/hooks: add proxy/deploy.sh to post-receive hook
- CLAUDE.md: document proxy setup and client config

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Force RSA4096 cert for VPN domain to fix iOS IKEv2</title>
<updated>2026-07-02T01:23:08+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T01:23:08+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=73da9a6f0afe31bb1c45a339cb1afa8dc2731b28'/>
<id>73da9a6f0afe31bb1c45a339cb1afa8dc2731b28</id>
<content type='text'>
ECDSA chain (YE1→Root YE→ISRG Root X2) is not trusted by iOS IKEv2.
RSA chain (Leaf→R10→ISRG Root X1) is universally trusted.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ECDSA chain (YE1→Root YE→ISRG Root X2) is not trusted by iOS IKEv2.
RSA chain (Leaf→R10→ISRG Root X1) is universally trusted.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Serve YE1 intermediate CA cert for Android VPN trust chain</title>
<updated>2026-07-01T01:48:36+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-01T01:48:36+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=47e47957cc363511d1de5f78caff7ff77ed7d0c7'/>
<id>47e47957cc363511d1de5f78caff7ff77ed7d0c7</id>
<content type='text'>
Android (XREAL Beam Pro) can't validate the server cert because it lacks
the Let's Encrypt YE1 hierarchy in its system trust store. The fix:
- Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy
- Android VPN profile: set CA certificate to this downloaded cert
- install.sh / renew-cert.sh now extract and copy YE1 to caddy dir

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Android (XREAL Beam Pro) can't validate the server cert because it lacks
the Let's Encrypt YE1 hierarchy in its system trust store. The fix:
- Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy
- Android VPN profile: set CA certificate to this downloaded cert
- install.sh / renew-cert.sh now extract and copy YE1 to caddy dir

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Add strongSwan IKEv2 VPN service</title>
<updated>2026-06-30T13:29:07+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-06-30T13:29:07+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=58f7917662ff92a3712289acccff8310c8f1baff'/>
<id>58f7917662ff92a3712289acccff8310c8f1baff</id>
<content type='text'>
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh
- install.sh: Caddy 証明書流用 + コンテナ起動
- renew-cert.sh: 証明書更新 + swanctl ホットリロード
- caddy/Caddyfile: vpn.yyamashita.com 追加（Let's Encrypt 証明書取得用）
- post-receive: vpn/deploy.sh を追加
- setup-route53.py: WEB_SUBDOMAINS に vpn を追加

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh
- install.sh: Caddy 証明書流用 + コンテナ起動
- renew-cert.sh: 証明書更新 + swanctl ホットリロード
- caddy/Caddyfile: vpn.yyamashita.com 追加（Let's Encrypt 証明書取得用）
- post-receive: vpn/deploy.sh を追加
- setup-route53.py: WEB_SUBDOMAINS に vpn を追加

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
