Proxy & SSL¶
Reverse proxy HTTPS sur LXC 103 — Caddy + Let's Encrypt.
Domaines exposés¶
| Domaine | Cible | SSO | Description |
|---|---|---|---|
| ncls.ltd | HTML statique | ❌ | Page d'accueil |
| home.ncls.ltd | 192.168.1.101:3000 | ❌ | Homepage Dashboard |
| docs.ncls.ltd | 192.168.1.101:8001 | ❌ | Documentation |
| doc.ncls.ltd | 192.168.1.101:8002 | ❌ | Silverbullet |
| flix.ncls.ltd | 192.168.1.100:8096 | ❌ | Jellyfin Media |
| auth.ncls.ltd | authelia:9091 | ❌ | Authelia Portal |
| seer.ncls.ltd | 192.168.1.100:5055 | ❌ | Seerr Requests |
| status.ncls.ltd | 192.168.1.101:3003 | ❌ | Status Page publique |
| run.ncls.ltd | 192.168.1.104:8080 | ❌ | Endurain Fitness |
| endurain.ncls.ltd | → run.ncls.ltd (301) | ❌ | Ancien domaine Endurain |
| files.ncls.ltd | 192.168.1.106:8090 | ❌ | SFTPGo (auth OIDC) |
| nliautaud.fr | 192.168.1.105:8010 | ❌ | Site nliautaud |
| alicesuretcanale.fr | 192.168.1.105:8011 | ❌ | Site alicesuretcanale |
| coolercontrol.ncls.ltd | 192.168.1.101:11987 | ✅ | CoolerControl |
| updates.ncls.ltd | 192.168.1.101:8000 | ✅ | Cup Updates Monitor |
| prowlarr.ncls.ltd | 192.168.1.100:9696 | ✅ | Prowlarr Indexer |
| radarr.ncls.ltd | 192.168.1.100:7878 | ✅ | Radarr Movies |
| portainer.ncls.ltd | 192.168.1.101:9443 | ✅ | Portainer |
| sabnzbd.ncls.ltd | 192.168.1.100:8080 | ✅ | SABnzbd |
| sonarr.ncls.ltd | 192.168.1.100:8989 | ✅ | Sonarr TV |
| bazarr.ncls.ltd | 192.168.1.100:6767 | ✅ | Bazarr Subtitles |
| pbs.ncls.ltd | 192.168.1.102:8007 | ✅ | Proxmox Backup |
| glances.ncls.ltd | 192.168.1.21:61208 | ✅ | Glances Monitor |
| host.ncls.ltd | 192.168.1.21:8006 | ✅ | Proxmox Host UI |
| feed.ncls.ltd | 192.168.1.104:8787 | ✅ | FreshRSS Reader |
| retro.ncls.ltd | 192.168.1.104:8082 | ✅ | Romm Gaming |
| uptime.ncls.ltd | 192.168.1.101:3003 | ✅ | Uptime Kuma Admin |
Certificats SSL¶
Caddy émet automatiquement un cert par sous-domaine via HTTP-01 (Let's Encrypt)
# Vérifier l'état des certificats Caddy
pct exec 103 -- docker exec caddy caddy list-certificates 2>/dev/null || \
pct exec 103 -- bash -c "ls /root/docker-compose/caddy/data/caddy/certificates/"
# Forcer un rechargement de la config
pct exec 103 -- docker exec caddy caddy reload --config /etc/caddy/Caddyfile
Sécurité¶
- Force SSL, HTTP/2, HSTS activés sur tous les hosts
- Fail2ban jail
authelia(maxretry=5, bantime=1h) — voir Sécurité LXC 103
Configuration¶
Voir Caddy pour la configuration interne (fichiers, ajout d'un proxy host).