Build initial caddy-opnsense-blocker daemon

2026-03-12 00:51:06 +01:00
commit 4e87d84237
21 changed files with 4354 additions and 0 deletions
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -0,0 +1,74 @@
+server:
+  listen_address: 127.0.0.1:9080
+  read_timeout: 5s
+  write_timeout: 10s
+  shutdown_timeout: 15s
+
+storage:
+  path: ./data/caddy-opnsense-blocker.db
+
+opnsense:
+  enabled: true
+  base_url: https://router.example.test
+  api_key_file: /run/secrets/opnsense-api-key
+  api_secret_file: /run/secrets/opnsense-api-secret
+  timeout: 8s
+  insecure_skip_verify: false
+  ensure_alias: true
+  alias:
+    name: blocked-ips
+    type: host
+    description: Managed by caddy-opnsense-blocker
+
+profiles:
+  public-web:
+    auto_block: true
+    min_status: 400
+    max_status: 599
+    block_unexpected_posts: true
+    block_php_paths: true
+    allowed_post_paths:
+      - /search
+    suspicious_path_prefixes:
+      - /wp-admin
+      - /wp-login.php
+      - /.env
+      - /.git
+    excluded_cidrs:
+      - 10.0.0.0/8
+      - 127.0.0.0/8
+    known_agents:
+      - name: friendly-bot
+        decision: allow
+        user_agent_prefixes:
+          - FriendlyBot/
+
+  gitea:
+    auto_block: false
+    min_status: 400
+    max_status: 599
+    block_unexpected_posts: true
+    block_php_paths: false
+    allowed_post_paths:
+      - /user/login
+      - /user/sign_up
+      - /user/forgot_password
+    suspicious_path_prefixes:
+      - /install.php
+      - /.env
+      - /.git
+
+sources:
+  - name: public-web
+    path: /var/log/caddy/public-web-access.json
+    profile: public-web
+    initial_position: end
+    poll_interval: 1s
+    batch_size: 256
+
+  - name: gitea
+    path: /var/log/caddy/gitea-access.json
+    profile: gitea
+    initial_position: end
+    poll_interval: 1s
+    batch_size: 256