micro/reseau/caddy_reverse_proxy.mmd


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
flowchart LR
    subgraph internet ["Internet"]
        direction TB
        dns_pub["DNS public<br/>*.arauco.online<br/>-> IP publique<br/>DynDNS Namecheap"]
        client["Navigateur<br/>Utilisateur"]
        client --> dns_pub
    end

    subgraph router ["Routeur Swisscom"]
        gw["Gateway 192.168.99.1"]
        nat["NAT<br/>:80 -> .50:80<br/>:443 -> .50:443"]
    end

    subgraph caddy_host ["araucaria 192.168.99.50"]
        direction TB

        subgraph caddy_svc ["Caddy - natif systemd"]
            direction TB
            listen[":80 HTTP<br/>:443 HTTPS"]
            tls["TLS termination<br/>Let's Encrypt<br/>ACME HTTP-01"]
            headers["Headers securite<br/>HSTS, X-Content-Type-Options<br/>X-Frame-Options, Referrer-Policy<br/>-Server"]
            listen --> tls
        end

        subgraph routing ["Routes reverse proxy"]
            direction TB
            r_www["www.arauco.online"]
            r_kc["kc.arauco.online"]
            r_ha["ha.arauco.online"]
            r_vk["vk.arauco.online"]
            r_pm["pm.arauco.online"]
            r_redir["arauco.online<br/>-> 301 www.*"]
        end
    end

    subgraph npagnun ["npagnun .35"]
        keycloak["Keycloak<br/>:8080 HTTP"]
        kc_block["/admin/* bloque<br/>hors LAN 403"]
    end

    subgraph huitral ["huitral .22"]
        direction TB
        dt["der-topogo<br/>:3000"]
        ha["Home Assistant<br/>:8123"]
        vk["Vikunja<br/>:3456"]
        pm["Pachamama<br/>:3030"]
        ws_note["WebSocket HA<br/>read_timeout 0"]
    end

    dns_pub --> nat
    nat --> listen

    r_www -->|"HTTP"| dt
    r_kc -->|"HTTP"| keycloak
    r_ha -->|"HTTP + WS"| ha
    r_vk -->|"HTTP"| vk
    r_pm -->|"HTTP"| pm

    tls --> routing

    classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
    classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
    classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
    classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
    classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
    classDef routeStyle fill:#3a3a1e,stroke:#9a9a4a,color:#e0e0a8

    class dns_pub,client,gw,nat extStyle
    class listen,tls netStyle
    class headers,kc_block secStyle
    class r_www,r_kc,r_ha,r_vk,r_pm,r_redir routeStyle
    class keycloak iamStyle
    class dt,ha,vk,pm,ws_note svcStyle