<feed xmlns='http://www.w3.org/2005/Atom'>
<title>hetzner-infra/caddy/entrypoint.sh, branch master</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.
</subtitle>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/'/>
<entry>
<title>Restrict proxy to Japan IPs using ipdeny.com CIDR list</title>
<updated>2026-07-02T15:45:51+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:45:51+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=e14f9edcb95875e2519461690915ab3e25740e96'/>
<id>e14f9edcb95875e2519461690915ab3e25740e96</id>
<content type='text'>
Downloads jp-aggregated.zone from ipdeny.com at container startup (no
account required). Falls back to open access if download fails.
Removed caddy-maxmind-geoip module (no longer needed).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Downloads jp-aggregated.zone from ipdeny.com at container startup (no
account required). Falls back to open access if download fails.
Removed caddy-maxmind-geoip module (no longer needed).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Add GeoIP Japan-only filter to forward proxy</title>
<updated>2026-07-02T15:40:17+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:40:17+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=c39ec05968656aaa893ed7e4b20b7d5f5ccbe5b5'/>
<id>c39ec05968656aaa893ed7e4b20b7d5f5ccbe5b5</id>
<content type='text'>
Uses caddy-maxmind-geoip module to restrict proxy access to JP IPs.
DB file (GeoLite2-Country.mmdb) must be placed manually on the server.
Filter is inactive when DB file is absent, allowing safe rollout.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Uses caddy-maxmind-geoip module to restrict proxy access to JP IPs.
DB file (GeoLite2-Country.mmdb) must be placed manually on the server.
Filter is inactive when DB file is absent, allowing safe rollout.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Fix HTTP proxy: use catch-all http:// block for port 80</title>
<updated>2026-07-02T15:26:47+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T15:26:47+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=579daf4aa1875a739c084ea7051e6b4d203f0c69'/>
<id>579daf4aa1875a739c084ea7051e6b4d203f0c69</id>
<content type='text'>
The forward_proxy site block must catch all hosts on port 80 because
proxy clients send Host: &lt;target&gt; not Host: proxy.yyamashita.com.
Non-proxy requests fall through to the redir for HTTPS upgrade.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The forward_proxy site block must catch all hosts on port 80 because
proxy clients send Host: &lt;target&gt; not Host: proxy.yyamashita.com.
Non-proxy requests fall through to the redir for HTTPS upgrade.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Fix forward_proxy config: remove unsupported hide_ip/hide_via directives</title>
<updated>2026-07-02T14:27:15+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T14:27:15+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=3cc1129f9f83e5b85eef4c77280a8a7cffee3341'/>
<id>3cc1129f9f83e5b85eef4c77280a8a7cffee3341</id>
<content type='text'>
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Temporarily disable proxy auth (PROXY_NO_AUTH=1)</title>
<updated>2026-07-02T14:17:37+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T14:17:37+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=1a41762754f8897827f09b46b37ab234515039be'/>
<id>1a41762754f8897827f09b46b37ab234515039be</id>
<content type='text'>
Add PROXY_NO_AUTH env var support to entrypoint.sh to skip basicauth
generation. Set to 1 in docker-compose.yml to allow unauthenticated access.
Revert by removing the environment block from docker-compose.yml.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add PROXY_NO_AUTH env var support to entrypoint.sh to skip basicauth
generation. Set to 1 in docker-compose.yml to allow unauthenticated access.
Revert by removing the environment block from docker-compose.yml.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Move forward proxy from Squid to Caddy (port 80/443)</title>
<updated>2026-07-02T14:08:58+00:00</updated>
<author>
<name>yyamashita</name>
<email>yyamashita@hetzner.yyamashita.com</email>
</author>
<published>2026-07-02T14:08:58+00:00</published>
<link rel='alternate' type='text/html' href='http://git.yyamashita.com/hetzner-infra/commit/?id=1a7b5adf8484ec0f2b6feb350b578142e186ab26'/>
<id>1a7b5adf8484ec0f2b6feb350b578142e186ab26</id>
<content type='text'>
Replace standalone Squid container with caddy-forwardproxy plugin so the
proxy shares Caddy's existing ports and TLS. HTTP on :80 and HTTPS on :443.
Auth is read from the same vpn/users.conf at Caddy startup via entrypoint.sh.
DNS: add proxy to setup-route53.py WEB_SUBDOMAINS.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace standalone Squid container with caddy-forwardproxy plugin so the
proxy shares Caddy's existing ports and TLS. HTTP on :80 and HTTPS on :443.
Auth is read from the same vpn/users.conf at Caddy startup via entrypoint.sh.
DNS: add proxy to setup-route53.py WEB_SUBDOMAINS.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
