summaryrefslogtreecommitdiff
path: root/caddy/entrypoint.sh
blob: 3e1ab8ad498ebfd0d701d5968e047c2d520d38e6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/sh
set -e

PROXY_CONF=/tmp/proxy_forward.caddy

# Build basicauth lines from shared users.conf (skip if PROXY_NO_AUTH=1)
AUTH_LINES=""
if [ "${PROXY_NO_AUTH:-0}" != "1" ] && [ -f /etc/proxy/users.conf ]; then
    while IFS=' ' read -r user pass || [ -n "$user" ]; do
        [ -z "$user" ] && continue
        case "$user" in \#*) continue ;; esac
        AUTH_LINES="${AUTH_LINES}        basicauth ${user} ${pass}\n"
    done < /etc/proxy/users.conf
fi
AUTH_BLOCK=$(printf '%b' "$AUTH_LINES")

# GeoIP Japan-only filter (active only if DB file is present)
GEOIP_BLOCK=""
if [ -f "/etc/caddy/GeoLite2-Country.mmdb" ]; then
    GEOIP_BLOCK='    geoip /etc/caddy/GeoLite2-Country.mmdb
    @not_japan {
        not remote_ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.1/32
        not expression `{http.vars.geoip_country_code} == "JP"`
    }
    respond @not_japan 403'
fi

cat > "$PROXY_CONF" <<EOF
http:// {
    route {
${GEOIP_BLOCK}
        forward_proxy {
${AUTH_BLOCK}        }
        redir https://{host}{uri} 308
    }
}
https://proxy.yyamashita.com {
    tls {
        key_type rsa4096
    }
    route {
${GEOIP_BLOCK}
        forward_proxy {
${AUTH_BLOCK}        }
    }
}
EOF

exec "$@"