summaryrefslogtreecommitdiff
path: root/caddy/entrypoint.sh
blob: bba0fabfe77a8dbea89c94763ca41a78c7f26ac9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/sh
set -e

PROXY_CONF=/tmp/proxy_forward.caddy

# Build basicauth lines from shared users.conf (skip if PROXY_NO_AUTH=1)
AUTH_LINES=""
if [ "${PROXY_NO_AUTH:-0}" != "1" ] && [ -f /etc/proxy/users.conf ]; then
    while IFS=' ' read -r user pass || [ -n "$user" ]; do
        [ -z "$user" ] && continue
        case "$user" in \#*) continue ;; esac
        AUTH_LINES="${AUTH_LINES}        basicauth ${user} ${pass}\n"
    done < /etc/proxy/users.conf
fi
AUTH_BLOCK=$(printf '%b' "$AUTH_LINES")

# JP-only filter: download CIDR list from ipdeny.com (no account required)
JP_FILTER=""
JP_ZONE=/tmp/jp.zone
if wget -q -O "$JP_ZONE" --timeout=15 "https://www.ipdeny.com/ipblocks/data/aggregated/jp-aggregated.zone" 2>/dev/null && [ -s "$JP_ZONE" ]; then
    JP_IPS=$(tr '\n' ' ' < "$JP_ZONE")
    JP_FILTER="    @not_japan {
        not remote_ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.1/32 ${JP_IPS}
    }
    respond @not_japan 403"
fi

cat > "$PROXY_CONF" <<EOF
http:// {
    route {
${JP_FILTER}
        forward_proxy {
${AUTH_BLOCK}        }
        redir https://{host}{uri} 308
    }
}
https://proxy.yyamashita.com {
    tls {
        key_type rsa4096
    }
    route {
${JP_FILTER}
        forward_proxy {
${AUTH_BLOCK}        }
    }
}
EOF

exec "$@"