Switch to http over ssh -R

homelab/Caddyfile

@@ -9,11 +9,11 @@
   }
 }
 
-git.woozle.org {
+http://git.woozle.org {
   reverse_proxy gitea:3000
 }
 
-drive.woozle.org {
+http://drive.woozle.org {
   import restricted-access
 
   # XXX: browsing says method not allowed
@@ -31,7 +31,7 @@ drive.woozle.org {
 }
 
 # XXX: have this use caddy auth
-ancestry.woozle.org {
+http://ancestry.woozle.org {
   reverse_proxy geneweb:2317
 }
 
@@ -40,7 +40,7 @@ ancestry.woozle.org {
 ## handle_path truncates path
 ##
 
-deergrove.woozle.org, sweetums.woozle.org {
+http://deergrove.woozle.org, http://sweetums.lan {
   handle /transmission/* {
     import restricted-access
     reverse_proxy host.docker.internal:9091

homelab/README.md

@@ -3,3 +3,15 @@
 This is the stuff I run on my little Raspberry Pi.
 
 I guess I fiddle around with it pretty frequently.
+
+## Routing
+
+My ISP uses Carrier-Grade NAT,
+which I would have called IP Masquerading.
+
+This means I can't bind ports on a routeable IP.
+So instead what I do is run this SSH connection off to my cloud server,
+listens for incoming connections on port 5800,
+and then have my cloud server proxy stuff to port 5800.
+
+It's a gross kludge but it works well :)

homelab/docker-compose.yaml

@@ -1,5 +1,25 @@
 version: "3.8"
 services:
+  tunnel:
+    image: lscr.io/linuxserver/openssh-server
+    user: abc
+    entrypoint:
+      - /usr/bin/ssh
+      - -N
+      - -R :5800:caddy:80
+      - core@melville.woozle.org
+    secrets:
+      - source: tunnel
+        target: /config/.ssh/id_rsa
+        uid: "911"
+        gid: "911"
+        mode: 0600
+      - source: known_hosts
+        target: /config/.ssh/known_hosts
+        uid: "911"
+        gid: "911"
+        mode: 0600
+
   caddy:
     image: caddy:2-alpine
     ports:
@@ -225,7 +245,7 @@ configs:
     name: dave.yaml-v3
   Caddyfile:
     file: Caddyfile
-    name: Caddyfile-v67
+    name: Caddyfile-v69
   index.html:
     file: www/index.html
     name: index.html-v32
@@ -243,6 +263,12 @@ secrets:
   simpleauth.key:
     file: secrets/simpleauth.key
     name: simpleauth.key-v1
+  tunnel:
+    file: secrets/tunnel
+    name: tunnel-v1
+  known_hosts:
+    file: secrets/known_hosts
+    name: known_hosts-v1
 
 networks:
   hostnet:

melville/Caddyfile

@@ -2,10 +2,21 @@
   email neale@woozle.org
 }
 
+(restricted-access) {
+  forward_auth simpleauth:8080 {
+    uri /
+    copy_headers X-Simpleauth-Token
+  }
+}
+
 vail.woozle.org {
   reverse_proxy vail:8080
 }
 
+deergrove.woozle.org, git.woozle.org, ancestry.woozle.org, drive.woozle.org {
+  reverse_proxy host.docker.internal:5800
+}
+
 www.woozle.org, woozle.org {
   root * /srv/www/woozle.org
   file_server
@@ -19,3 +30,4 @@ www.woozle.org, woozle.org {
   }
 }
 
+

melville/docker-compose.yaml

@@ -17,6 +17,8 @@ services:
         source: /srv/www
         target: /srv/www
         read_only: true
+    extra_hosts:
+      - host.docker.internal:host-gateway
     configs:
       - source: Caddyfile
         target: /etc/caddy/Caddyfile
@@ -27,4 +29,4 @@ services:
 configs:
   Caddyfile:
     file: Caddyfile
-    name: Caddyfile-v5
+    name: Caddyfile-v6