You've already forked caddy-opnsense-blocker
93 lines
2.2 KiB
YAML
93 lines
2.2 KiB
YAML
server:
|
|
# The built-in UI/API has no authentication. Keep this on loopback unless
|
|
# another trusted layer protects access.
|
|
listen_address: 127.0.0.1:9080
|
|
read_timeout: 5s
|
|
write_timeout: 10s
|
|
shutdown_timeout: 15s
|
|
|
|
storage:
|
|
path: ./data/caddy-opnsense-blocker.db
|
|
|
|
investigation:
|
|
enabled: true
|
|
# Reserved for future automatic revalidation logic. Current releases keep
|
|
# cached investigations until you explicitly refresh them.
|
|
refresh_after: 24h
|
|
timeout: 8s
|
|
user_agent: caddy-opnsense-blocker/0.2
|
|
spamhaus_enabled: true
|
|
background_workers: 2
|
|
background_poll_interval: 30s
|
|
background_lookback: 0s
|
|
background_batch_size: 256
|
|
|
|
opnsense:
|
|
# Set to false for review-only mode.
|
|
enabled: true
|
|
base_url: https://router.example.test
|
|
api_key_file: /run/secrets/opnsense-api-key
|
|
api_secret_file: /run/secrets/opnsense-api-secret
|
|
timeout: 8s
|
|
insecure_skip_verify: false
|
|
ensure_alias: true
|
|
alias:
|
|
name: blocked-ips
|
|
type: host
|
|
description: Managed by caddy-opnsense-blocker
|
|
|
|
profiles:
|
|
public-web:
|
|
auto_block: true
|
|
min_status: 400
|
|
max_status: 599
|
|
block_unexpected_posts: true
|
|
block_php_paths: true
|
|
allowed_post_paths:
|
|
- /search
|
|
suspicious_path_prefixes:
|
|
- /wp-admin
|
|
- /wp-login.php
|
|
- /.env
|
|
- /.git
|
|
excluded_cidrs:
|
|
- 10.0.0.0/8
|
|
- 127.0.0.0/8
|
|
known_agents:
|
|
- name: friendly-bot
|
|
decision: allow
|
|
user_agent_prefixes:
|
|
- FriendlyBot/
|
|
|
|
gitea:
|
|
auto_block: false
|
|
min_status: 400
|
|
max_status: 599
|
|
block_unexpected_posts: true
|
|
block_php_paths: false
|
|
allowed_post_paths:
|
|
- /user/login
|
|
- /user/sign_up
|
|
- /user/forgot_password
|
|
suspicious_path_prefixes:
|
|
- /install.php
|
|
- /.env
|
|
- /.git
|
|
|
|
sources:
|
|
# One log path equals one selected profile. Different sources can still share
|
|
# the same global OPNsense backend defined above.
|
|
- name: public-web
|
|
path: /var/log/caddy/public-web-access.json
|
|
profile: public-web
|
|
initial_position: end
|
|
poll_interval: 1s
|
|
batch_size: 256
|
|
|
|
- name: gitea
|
|
path: /var/log/caddy/gitea-access.json
|
|
profile: gitea
|
|
initial_position: end
|
|
poll_interval: 1s
|
|
batch_size: 256
|