jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

init

Browse source
This commit is contained in:
JMARyA 2023-12-04 11:02:23 +01:00
commit c5cd492449
Signed by: jmarya
GPG key ID: 901B2ADDF27C2263
475 changed files with 27928 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
technology/applications/web/AdGuard.md Normal file
View file

@ -0,0 +1,34 @@
---
obj: application
website: https://adguard.com/en/adguard-home/overview.html
---
# AdGuard
AdGuard Home is a network-wide software for blocking ads & tracking. It exposes a [DNS](../../internet/DNS.md) server and works similiarly to PiHole. You can also define custom [domain](../../internet/Domain.md) to IP mappings.
## Docker Compose
```yml
version: '3.3'
services:
adguard:
restart: unless-stopped
volumes:
- './config:/opt/adguardhome'
- './certs:/certs'
ports:
. # DNS
- '53:53/tcp'
- '53:53/udp'
# Web UI
- '3200:443/tcp'
- '853:853/tcp'
- '784:784/udp'
- '853:853/udp'
- '8853:8853/udp'
- '5443:5443/tcp'
- '5443:5443/udp'
image: adguard/adguardhome
```

560
technology/applications/web/Authelia.md Normal file
View file

@ -0,0 +1,560 @@
---
obj: application
website: https://www.authelia.com
repo: https://github.com/authelia/authelia
---
# Authelia
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
## Docker-Compose
```
version: "3"
services:
authelia:
image: authelia/authelia
volumes:
- ./authelia:/config
ports:
# Web Interface
- 9091:9091
restart: unless-stopped
environment:
- TZ=Europe/Berlin
depends_on:
- redis
redis:
image: redis:alpine
volumes:
- ./redis:/data
restart: unless-stopped
environment:
- TZ=Europe/Berlin
```
## Authelia Configuration
The configuration is done via a [YAML](../../files/YAML.md) file.
Sample Configuration:
```yml
## Note: the container by default expects to find this file at /config/configuration.yml.
## The theme to display: light, dark, grey, auto.
theme: light
## The secret used to generate JWT tokens when validating user identity by email confirmation.
jwt_secret: a_very_important_secret
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
default_redirection_url: https://home.example.com/
## Set the default 2FA method for new users and for when a user has a preferred method configured that has been disabled. This setting must be a method that is enabled.
## Options are totp, webauthn, mobile_push.
default_2fa_method: ""
## Server Configuration
server:
## The address to listen on.
host: 0.0.0.0
## The port to listen on.
port: 9091
## Set the single level path Authelia listens on.
## Must be alphanumeric chars and should not contain any slashes.
path: ""
## Set the path on disk to Authelia assets.
## Useful to allow overriding of specific static assets.
asset_path: /config/assets/
## Enables the pprof endpoint.
enable_pprof: false
## Enables the expvars endpoint.
enable_expvars: false
## Log Configuration
log:
## Level of verbosity for logs: info, debug, trace.
level: debug
## Format the logs are written as: json, text.
format: json
## File path where the logs will be written. If not set logs are written to stdout.
file_path: /config/authelia.log
## Whether to also log to stdout when a log_file_path is defined.
keep_stdout: false
## Telemetry Configuration
telemetry:
## Metrics Configuration
metrics:
## Enable Metrics.
enabled: false
## The address to listen on for metrics. This should be on a different port to the main server.port value.
address: tcp://0.0.0.0:9959
## TOTP Configuration
## Parameters used for TOTP generation.
totp:
## Disable TOTP.
disable: false
## The issuer name displayed in the Authenticator application of your choice.
issuer: authelia.com
## The TOTP algorithm to use.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#algorithm
algorithm: sha1
## The number of digits a user has to input. Must either be 6 or 8.
## Changing this option only affects newly generated TOTP configurations.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#digits
digits: 6
## The period in seconds a one-time password is valid for.
## Changing this option only affects newly generated TOTP configurations.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
skew: 1
## See: https://www.authelia.com/c/totp#input-validation to read
## the documentation.
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
secret_size: 32
## WebAuthn Configuration
## Parameters used for WebAuthn.
webauthn:
## Disable Webauthn.
disable: false
## Adjust the interaction timeout for Webauthn dialogues.
timeout: 60s
## The display name the browser should show the user for when using Webauthn to login/register.
display_name: Authelia
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
## Options are none, indirect, direct.
attestation_conveyance_preference: indirect
## User verification controls if the user must make a gesture or action to confirm they are present.
## Options are required, preferred, discouraged.
user_verification: preferred
## NTP Configuration
## This is used to validate the servers time is accurate enough to validate TOTP.
ntp:
## NTP server address.
address: "time.cloudflare.com:123"
## NTP version.
version: 4
## Maximum allowed time offset between the host and the NTP server.
max_desync: 3s
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
## set this to true, and can operate in a truly offline mode.
disable_startup_check: false
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
## will continue regardless of results.
disable_failure: false
## Authentication Backend Provider Configuration
##
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
## The available providers are: `file`, `ldap`. You must use only one of these providers.
authentication_backend:
## Password Reset Options.
password_reset:
## Disable both the HTML element and the API for reset password functionality.
disable: false
## External reset password url that redirects the user to an external reset portal. This disables the internal reset
## functionality.
custom_url: ""
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
refresh_interval: 5m
## File (Authentication Provider)
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
## implications it is highly recommended you leave the default values. Before considering changing these settings
## please read the docs page below:
## https://www.authelia.com/r/passwords#tuning
file:
path: /config/users_database.yml
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
scrypt:
iterations: 16
block_size: 8
parallelism: 1
key_length: 32
salt_length: 16
pbkdf2:
variant: sha512
iterations: 310000
salt_length: 16
sha2crypt:
variant: sha512
iterations: 50000
salt_length: 16
bcrypt:
variant: standard
cost: 12
## Password Policy Configuration.
password_policy:
## The standard policy allows you to tune individual settings manually.
standard:
enabled: false
## Require a minimum length for passwords.
min_length: 8
## Require a maximum length for passwords.
max_length: 0
## Require uppercase characters.
require_uppercase: true
## Require lowercase characters.
require_lowercase: true
## Require numeric characters.
require_number: true
## Require special characters.
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
## Configures the minimum score allowed.
min_score: 3
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.example.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
## provided. If provided, the parameter represents either a user or a group. It should be of the form
## 'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
## is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any resource if there is no policy to be applied to the user.
default_policy: deny
rules:
## Rules applied to everyone
- domain: 'public.example.com'
policy: bypass
## Domain Regex examples. Generally we recommend just using a standard domain.
- domain_regex: '^(?P<User>\w+)\.example\.com$'
policy: one_factor
- domain_regex: '^(?P<Group>\w+)\.example\.com$'
policy: one_factor
- domain_regex:
- '^appgroup-.*\.example\.com$'
- '^appgroup2-.*\.example\.com$'
policy: one_factor
- domain_regex: '^.*\.example\.com$'
policy: two_factor
- domain:
- 'secure.example.com'
- 'private.example.com'
policy: two_factor
- domain: 'singlefactor.example.com'
policy: one_factor
## Rules applied to 'admins' group
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: deny
- domain: '*.example.com'
subject:
- 'group:admins'
- 'group:moderators'
policy: two_factor
## Rules applied to 'dev' group
- domain: 'dev.example.com'
resources:
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: two_factor
## Rules applied to user 'john'
- domain: 'dev.example.com'
resources:
- '^/users/john/.*$'
subject: 'user:john'
policy: two_factor
## Session Provider Configuration
##
## The session cookies identify the user once logged in.
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
session:
## The name of the session cookie.
name: authelia_session
## The domain to protect.
## Note: the authenticator must also be in that domain.
## If empty, the cookie is restricted to the subdomain of the issuer.
domain: example.com
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/c/session#same_site
same_site: lax
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
secret: insecure_session_secret
## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy or attack.
## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
expiration: 1h
## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time Authelia detected user activity.
inactivity: 5m
## The time before the cookie expires and the session is destroyed if remember me IS selected.
## Value of -1 disables remember me.
remember_me_duration: 1M
## Redis Provider
redis:
host: 127.0.0.1
port: 6379
## Use a unix socket instead
host: /var/run/redis/redis.sock
## Username used for redis authentication. This is optional and a new feature in redis 6.0.
username: authelia
## Password can also be set using a secret: https://www.authelia.com/c/secrets
password: authelia
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
database_index: 0
## The maximum number of concurrent active connections to Redis.
maximum_active_connections: 8
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
minimum_idle_connections: 0
## Regulation Configuration
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
## in a short period of time.
regulation:
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
max_retries: 3
## The time range during which the user can attempt login before being banned. The user is banned if the
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
find_time: 2m
## The length of time before a banned user can login again. Ban Time accepts duration notation.
ban_time: 5m
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
## the CLI to change this in the database if you want to change it from a previously configured value.
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
## Local (Storage Provider)
## This stores the data in a SQLite3 Database.
## This is only recommended for lightweight non-stateful installations.
local:
## Path to the SQLite3 Database.
path: /config/db.sqlite3
## MySQL / MariaDB (Storage Provider)
# mysql:
# host: 127.0.0.1
# port: 3306
# database: authelia
# username: authelia
# password: mypassword
# timeout: 5s
## PostgreSQL (Storage Provider)
# postgres:
# host: 127.0.0.1
# port: 5432
# database: authelia
# schema: public
# username: authelia
# password: mypassword
# timeout: 5s
## Notification Provider
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
## You can disable the notifier startup check by setting this to true.
disable_startup_check: false
## File System (Notification Provider)
filesystem:
filename: /config/notification.txt
## SMTP (Notification Provider)
## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
## [Security] By default Authelia will:
## - force all SMTP connections over TLS including unauthenticated connections
## - use the disable_require_tls boolean value to disable this requirement
## (only works for unauthenticated connections)
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
## (configure in tls section)
# smtp:
## The SMTP host to connect to.
# host: 127.0.0.1
## The port to connect to the SMTP host on.
# port: 1025
## The connection timeout.
# timeout: 5s
## The username used for SMTP authentication.
# username: test
## The password used for SMTP authentication.
# password: password
## The sender is used to is used for the MAIL FROM command and the FROM header.
## If this is not defined and the username is an email, we use the username as this value. This can either be just
## an email address or the RFC5322 'Name <email address>' format.
# sender: "Authelia <admin@example.com>"
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
# identifier: localhost
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
# subject: "[Authelia] {title}"
## This address is used during the startup check to verify the email configuration is correct.
## It's not important what it is except if your email server only allows local delivery.
# startup_check_address: test@authelia.com
## By default we require some form of TLS. This disables this check though is not advised.
# disable_require_tls: false
## Disables sending HTML formatted emails.
# disable_html_emails: false
```
### User Database
If you have choosen the file based authentification backend, you need to create a `users_database.yml` file. Every object under `users` represents another user. You need to specify a password hash, you can get the password hash with `docker run authelia/authelia:latest authelia hash-password SOMEPASSWORD`.
Example:
```yml
users:
admin:
displayname: "Administration"
password: "$argon2id$v=19$m=65536,t=3,p=4$Me8Gxh6+NGUEWo5xrh8AeA$gt8iH0b1sPNNfXN1VVjHZU6MSWRuYYjhnu7QvDDxQBQ"
email: admin@example.com
groups:
- admin
- dev
- work
```
## Configuration for [traefik](traefik.md)
```yml
http:
middlewares:
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://yourdomain.com"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
```

29
technology/applications/web/Bitwarden.md Normal file
View file

File diff suppressed because one or more lines are too long

7
technology/applications/web/Frigate.md Normal file
View file

@ -0,0 +1,7 @@
---
obj: application
website: https://frigate.video/
---
# Frigate
#wip #🐇

46
technology/applications/web/Gitea.md Normal file
View file

@ -0,0 +1,46 @@
---
obj: application
os:
- web
website: https://gitea.io/en-us/
---
# Gitea
Gitea is a community managed fork of Gogs, lightweight [git](../../dev/Git.md) code hosting solution written in Go and published under the MIT license.
#refactor -> gitea features, usage, more info
## Docker Compose
```yaml
version: '3.3'
services:
server:
image: gitea/gitea
environment:
- USER_UID=1001
- USER_GID=1001
- DB_TYPE=postgres
- DB_HOST=db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
restart: always
volumes:
- ./data:/data
ports:
- "3000:3000" # Web UI
- "222:22" # SSH
depends_on:
- db
db:
image: postgres:9.6
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
volumes:
- ./db:/var/lib/postgresql/data
```

41
technology/applications/web/Grocy.md Normal file
View file

File diff suppressed because one or more lines are too long

11
technology/applications/web/Guacamole.md Normal file
View file

File diff suppressed because one or more lines are too long

26
technology/applications/web/Home Assistant.md Normal file
View file

@ -0,0 +1,26 @@
---
obj: application
os: web
website: https://www.home-assistant.io/
android-id: io.homeassistant.companion.android.minimal
---
# Home Assistant
#refactor
Home Assistant is a local smart home hub platform supportig many integrations for automation.
## Docker Compose
```yaml
version: '3'
services:
homeassistant:
image: homeassistant/home-assistant:stable
volumes:
- ./config:/config
environment:
- TZ=Europe/Berlin
restart: always
network_mode: host
```
# [Wake On LAN](../../internet/Wake%20on%20LAN.md)
#todo

32
technology/applications/web/IPFS.md Normal file
View file

@ -0,0 +1,32 @@
---
obj: application
os: web
website: https://ipfs.io
---
# IPFS
IPFS, or the InterPlanetary File System, is a peer-to-peer distributed file system designed to connect all computing devices with the same system of files. It works similiarly to [Torrents](../../tools/BitTorrent.md).
## Key Concepts
### 1. **Decentralization:**
IPFS is designed to be a fully decentralized system where each node in the network stores a collection of hashed files. This eliminates the need for a central server, providing greater resilience and reducing single points of failure.
### 2. **Content Addressing:**
IPFS uses content addressing, where each file and all of the blocks within it are given a unique fingerprint called a cryptographic hash. This hash becomes the file's address on the network.
### 3. **Distributed Hash Table (DHT):**
IPFS utilizes DHT for efficient peer discovery and file lookup. It enables nodes to find the closest peers with a specific file.
## Docker Compose
```yml
version: '3'
services:
ipfs-node:
image: ipfs/go-ipfs
restart: always
ports:
- "4001:4001"
- "127.0.0.1:8080:8080"
- "127.0.0.1:5001:5001"
volumes:
- ./ipfs-data:/data/ipfs
command: ["--enable-pubsub-experiment", "--gateway", "all"]
```

28
technology/applications/web/Jellyfin.md Normal file
View file

@ -0,0 +1,28 @@
---
obj: application
os: web
website: https://jellyfin.org/
android-id: org.jellyfin.mobile
---
# Jellyfin
#refactor
Jellyfin is a free and open-source multimedia application suite designed to organize, manage, and share digital media files to networked devices.
Multiple clients can be used.
## Docker Compose
```yaml
version: "3"
services:
jellyfin:
image: lscr.io/linuxserver/jellyfin
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Berlin
volumes:
- ./config:/config
- ./media:/media:ro
ports:
- 8096:8096
restart: unless-stopped
```

29
technology/applications/web/Kavita.md Normal file
View file

File diff suppressed because one or more lines are too long

58
technology/applications/web/Matrix.md Normal file
View file

@ -0,0 +1,58 @@
---
website: https://matrix.org/
obj: application
---
# Matrix
Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers, in the way that standard [Simple Mail Transfer Protocol](../../internet/SMTP.md) [email](../../internet/eMail.md) currently does for store-and-forward [email](../../internet/eMail.md) service, by allowing users with accounts at one communications service provider to communicate with users of a different service provider via online chat, voice over IP, and videotelephony. It therefore serves a similar purpose to protocols like XMPP, but is not based on any existing communication protocol.
By default matrix is federated and every user is located at a home server (`@user:matrix.example.org`) and can communicate with other users or join rooms.
## Setup
To setup a matrix server using dendrite follow these steps. As prerequisites you need a valid [domain](../../internet/Domain.md) name.
### Generate a key
```shell
mkdir -p ./config
docker run --rm --entrypoint="/usr/bin/generate-keys" -v $(pwd)/config:/mnt matrixdotorg/dendrite-monolith:latest -private-key /mnt/matrix_key.pem
```
### Generate a config file
```shell
mkdir -p ./config
docker run --rm --entrypoint="/bin/sh" -v $(pwd)/config:/mnt matrixdotorg/dendrite-monolith:latest -c "/usr/bin/generate-config -dir /var/dendrite/ -db postgres://dendrite:itsasecret@postgres/dendrite?sslmode=disable -server YourDomainHere > /mnt/dendrite.yaml"
```
### Docker-Compose
Start the docker compose service:
```yaml
version: "3.4"
services:
postgres:
hostname: postgres
image: postgres:15-alpine
restart: always
volumes:
- ./db:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: password
POSTGRES_USER: dendrite
POSTGRES_DATABASE: dendrite
healthcheck:
test: ["CMD-SHELL", "pg_isready -U dendrite"]
interval: 5s
timeout: 5s
retries: 5
dendrite:
image: matrixdotorg/dendrite-monolith:latest
ports:
- 8448:8008
volumes:
- ./config:/etc/dendrite
- ./data:/var/dendrite
depends_on:
postgres:
condition: service_healthy
restart: unless-stopped
```

40
technology/applications/web/Minio.md Normal file
View file

@ -0,0 +1,40 @@
---
obj: application
website: https://min.io
repo: https://github.com/minio/minio
---
# Minio
MinIO is an open-source, high-performance, distributed object storage system. Designed for cloud-native and containerized applications, MinIO allows users to build scalable, fault-tolerant, and secure object storage infrastructure. It is compatible with Amazon S3 APIs, making it easy to integrate with existing S3 applications and tools.
## Features
1. Amazon S3 Compatibility:
MinIO supports the S3 API, allowing users to seamlessly integrate MinIO with applications and tools designed for Amazon S3.
2. Scalability:
MinIO is designed to scale horizontally, allowing users to add nodes to the cluster as storage requirements grow. This scalability makes it suitable for both small-scale deployments and large-scale enterprise use.
3. High Performance:
MinIO leverages a distributed architecture and erasure coding to achieve high performance, making it suitable for use cases with demanding throughput and low-latency requirements.
4. Data Protection and Erasure Coding:
MinIO provides data protection through erasure coding, which breaks data into smaller fragments and distributes them across multiple nodes. This ensures data integrity and fault tolerance.
5. Security Features:
MinIO includes features such as server-side encryption, access control policies, and integration with identity providers for secure data storage.
6. Event-Driven Architecture:
MinIO supports event notifications, allowing users to trigger actions or workflows in response to events such as object creation or deletion.
## Docker Compose
```yaml
version: '3.9'
services:
minio:
command: 'server /data --console-address ":9090"'
image: quay.io/minio/minio
environment:
- MINIO_ROOT_PASSWORD=password
- MINIO_ROOT_USER=user
- MINIO_SERVER_URL=https://domain.com
volumes:
- './data:/data'
ports:
- '9090:9090'
- '9080:9000'
restart: unless-stopped
```

44
technology/applications/web/Overseerr.md Normal file
View file

File diff suppressed because one or more lines are too long

29
technology/applications/web/Plex.md Normal file
View file

@ -0,0 +1,29 @@
---
obj: application
os: web
website: https://plex.tv
android-id: com.plexapp.android
flatpak-id: tv.plex.PlexDesktop
---
# Plex
Plex is a media player system and software suite consisting of many player applications for 10-foot user interfaces and an associated media server that organizes personal media stored on local devices.
Media inside Plex can be requested and managed by [Overseerr](Overseerr.md)
## Docker Compose
```yaml
version: '3'
services:
plex_server:
image: linuxserver/plex
restart: unless-stopped
ports:
- 32400:32400/tcp
environment:
- PUID=1001
- PGID=1001
- VERSION=docker
- TZ=Europe/Berlin
volumes:
- ./config:/config
- ./media:/media:ro
```

54
technology/applications/web/Portainer.md Normal file
View file

@ -0,0 +1,54 @@
---
obj: application
website: https://www.portainer.io/
repo: https://github.com/portainer/portainer
---
# Portainer
Portainer is an open-source container management tool designed to simplify the deployment, management, and monitoring of [Docker](../../tools/Docker.md) containers. With its user-friendly interface and robust feature set, Portainer makes it easy for both beginners and experienced users to interact with [Docker](../../tools/Docker.md) and containerized applications.
## Features
### 1. **Intuitive Web Interface:**
- Portainer provides a web-based user interface that allows users to manage Docker containers, images, volumes, and networks with ease.
### 2. **Multi-Platform Support:**
- Portainer supports various [Docker](../../tools/Docker.md) installations, including Docker Desktop, Docker Swarm, and Kubernetes, making it a versatile choice for managing containers across different environments.
### 3. **User Authentication and Role-Based Access Control (RBAC):**
- Securely manage access to [Docker](../../tools/Docker.md) resources by implementing user authentication and RBAC. Define user roles and permissions to control who can perform specific actions.
### 4. **App Templates and Stack Deployment:**
- Portainer simplifies the deployment of applications by providing app templates. Users can deploy stacks, which are groups of interconnected services, with just a few clicks.
### 5. **Container Lifecycle Management:**
- Start, stop, restart, and remove containers effortlessly using the Portainer interface. Monitor container health and resource usage in real-time.
### 6. **Image Management:**
- Browse, pull, and manage [Docker](../../tools/Docker.md) images from Docker Hub or other registries. Portainer makes it easy to update images and inspect image details.
### 7. **Volume and Network Management:**
- Create and manage [Docker](../../tools/Docker.md) volumes and networks through the Portainer interface. Configure network settings and attach volumes to containers seamlessly.
### 8. **Endpoint Management:**
- Portainer supports the management of multiple [Docker](../../tools/Docker.md) endpoints from a single Portainer instance, providing a centralized point of control for distributed environments.
## Usage
### 1. **Container Management:**
- View, start, stop, restart, and remove containers from the Portainer dashboard. Access detailed information about each container, including logs and resource usage.
### 2. **Image Management:**
- Browse and pull [Docker](../../tools/Docker.md) images from registries. Keep images up-to-date and inspect image details, such as layers and tags.
### 3. **Volume and Network Management:**
- Create and manage [Docker](../../tools/Docker.md) volumes and networks. Configure volume bindings and network settings for containers.
### 4. **Application Deployment:**
- Deploy applications using the Stacks feature. Choose from pre-configured app templates or define your own [Docker Compose](../../tools/Docker%20Compose.md) files for customized deployments.
### 5. **Monitoring and Health Checks:**
- Monitor the health of containers and receive alerts for issues. Utilize Portainer's health check features to ensure the reliability of deployed services.
### 6. **Multi-Endpoint Management:**
- Manage [Docker](../../tools/Docker.md) endpoints from different locations using a single Portainer instance. Switch between environments to control resources across various [Docker](../../tools/Docker.md) installations.
## Docker Compose
```yaml
version: '3.3'
services:
portainer-ce:
ports:
- '9010:9000' # Web UI
restart: always
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- './data:/data'
image: portainer/portainer-ce
```

32
technology/applications/web/Radicale.md Normal file
View file

@ -0,0 +1,32 @@
---
obj: application
os: web
website: https://radicale.org/v3.html
---
# Radicale
Radicale is a [WebDAV](../../tools/WebDAV.md) Server for CalDAV and CardDAV.
## Install
Based on [this repo](https://github.com/fphammerle/docker-radicale)
Configuration is in config file. User Authentication in httpasswd:
```yaml
version: '2.2'
services:
radicale:
build: .
# image: fphammerle/radicale
volumes:
- ./config:/etc/radicale/config:ro
- ./htpasswd:/etc/radicale/htpasswd:ro
- ./ssh:/var/lib/radicale/.ssh:rw
- ./data:/var/lib/radicale/collections:rw
read_only: true
ports: ['0.0.0.0:5232:5232']
cap_drop: [ALL]
security_opt: [no-new-privileges]
mem_limit: 128M
cpu_quota: 5000
cpu_period: 10000
restart: unless-stopped
```

98
technology/applications/web/Samba.md Normal file
View file

@ -0,0 +1,98 @@
---
obj: application
website: https://www.samba.org
aliases: ["SMB"]
---
# Samba
Samba is an open-source software suite that provides seamless interoperability between [Linux](../../linux/Linux.md)/Unix servers and [Windows](../../windows/Windows.md)-based clients. It allows file and print services to be shared across a mixed network of [Windows](../../windows/Windows.md), [Linux](../../linux/Linux.md), and [macOS](../../macos/macOS.md) systems.
## Configuration
You configure samba with the file `/etc/samba/smb.conf`
### Structure:
The `smb.conf` file is structured into sections, each containing key-value pairs that define specific configurations. The sections are enclosed in square brackets (`[]`). The most commonly used section is `[global]`, which contains global settings applying to the entire Samba server. Other sections define individual shares or specific configurations.
### Common Sections:
1. **\[global]:**
- Contains global configurations applicable to the entire Samba server.
2. **\[sharename]:**
- Custom sections for defining specific shares.
### Global Options
```ini
[global]
# Workgroup
workgroup = WORKGROUP
# User needs to logon before connection
security = user
# Server description
server string = descriptive string
# Set minimum protocol to SMB3
server min protocol = SMB3_00
# Encrypt passwords in connection
encrypt passwords = yes
# ReadWrite Raw
read raw = Yes
write raw = Yes
```
### Share Options
```ini
[MyShare]
# Set share to readonly
read only = no
# Filesystem path
path = /my/share
# Users allowed to access this share
valid users = user
# Enable the share to be seen when connecting
browseable = yes
# Enable writing to the share
writeable = yes
# File and Directory permissions for creation.
create mode = 0750
directory mode = 0750
```
#### Recycle Bin
To enable a recycle bin on your share, add this to the config:
```ini
# Enable recycle bin
vfs object = recycle
# Set recycle bin location
recycle:repository = /my/share/.Trash
# Directory permissions
recycle:directory_mode = 0750
# Keep the directory structure when something is deleted
recycle:keeptree = Yes
recycle:touch = Yes
# Set max file size
recycle:maxsize = 100000000
# Enable versioning
recycle:versions = no
# Exclude files from versioning
recycle:noversions = *.ini | *.dat
# Exclude from recycle bin
recycle:exclude = *.TMP | *.tmp | ~$*.doc
recycle:exclude_dir = tmp | temp | cache
```
#### Snapshots
If you want to expose snapshots (for example from [ZFS](../../linux/filesystems/ZFS.md)), add this config:
```ini
# Enable snapshots
vfs object = shadow_copy2
# Directory which holds the snapshots (relative to share)
shadow:snapdir = .zfs/snapshot
# Snapshot format (date and time)
shadow:format = SNAP_%Y.%m.%d-%H.%M.%S
# Snapshot sorting
shadow:sort = desc
```
## User Authentication
### 1. **User Mapping:**
- Samba maps local system users to SMB users. Use the `smbpasswd` command to set passwords for SMB users.

38
technology/applications/web/Uptime Kuma.md Normal file
View file

File diff suppressed because one or more lines are too long

61
technology/applications/web/Vikunja.md Normal file
View file

File diff suppressed because one or more lines are too long

172
technology/applications/web/dufs.md Normal file
View file

File diff suppressed because one or more lines are too long

34
technology/applications/web/mitmproxy.md Normal file
View file

File diff suppressed because one or more lines are too long

86
technology/applications/web/nginx.md Normal file
View file

@ -0,0 +1,86 @@
---
obj: application
website: https://nginx.org
repo: https://hg.nginx.org/nginx
---
# nginx
Nginx is a powerful open-source web server and reverse proxy server. It is widely used for serving static content, handling dynamic content through various modules, and acting as a load balancer.
## Docker Compose
```yml
version: '3'
services:
nginx:
image: nginx:latest
ports:
- "80:80"
volumes:
- ./html:/usr/share/nginx/html:ro
- ./nginx-custom.conf:/etc/nginx/conf.d/custom.conf:ro
restart: always
```
## Configuration
Nginx's configuration is defined in the `/etc/nginx/nginx.conf` file.
### Server Blocks (Virtual Hosts)
Nginx uses server blocks to define different virtual hosts. Each server block can have its own configuration, allowing Nginx to serve multiple websites on the same server.
Example of a basic server block:
```nginx
server {
listen 80;
listen 443 ssl;
ssl_certificate certs/example.com.crt;
ssl_certificate_key certs/example.com.key;
server_name example.com www.example.com;
location / {
root /var/www/example;
index index.html;
}
# Additional configuration can go here
}
```
In this example:
- `listen`: Specifies the port on which Nginx will listen for incoming requests.
- `server_name`: Defines the [domain](../../internet/Domain.md) names for this server block.
- `location`: Configures how Nginx processes requests for the specified location.
### Locations
The location directive is used to configure how Nginx handles different types of requests. It can be used for [URL](../../internet/URL.md) matching, proxying, and more.
Example of a location block:
```nginx
location /images/ {
alias /var/www/example/images/;
expires 30d;
add_header Cache-Control "public, max-age=2592000";
}
```
In this example:
- `alias`: Maps a location to a filesystem path.
- `expires`: Sets the cache expiration for the specified location.
- `add_header`: Adds custom [HTTP](../../internet/HTTP.md) headers to the response.
### Reverse Proxy
Nginx can act as a reverse proxy to forward requests to other servers.
Example of a reverse proxy configuration:
```nginx
location /app/ {
proxy_pass http://backend-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
```
In this example:
- `proxy_pass`: Specifies the backend server's address.
- `proxy_set_header`: Sets custom headers for the proxy request.

794
technology/applications/web/traefik.md Normal file
View file

@ -0,0 +1,794 @@
---
obj: application
website: https://traefik.io
repo: https://github.com/traefik/traefik
---
# traefik
Traefik is an open-source Edge Router (Reverse Proxy) that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.
- EntryPoints: EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for [TCP](../../internet/TCP.md) or [UDP](../../internet/UDP.md).
- Routers: A router is in charge of connecting incoming requests to the services that can handle them.
- Middlewares: Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
- Services: Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
## Docker Compose
```yaml
version: "3"
services:
traefik:
image: traefik:v2.10.4
ports:
- 80:80
- 443:443
- 28080:8080
volumes:
- ./conf:/etc/traefik
- ./logs:/var/log/traefik/
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
```
## Configuration
Configuration is done via the file `traefik.yaml`.
### Entrypoints
You need to define some entrypoints which accept incoming traffik.
```yaml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
```
### Routers
A router is in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of middleware to update the request, or act before forwarding the request to the service.
Routers can handle [HTTP](../../internet/HTTP.md), [TCP](../../internet/TCP.md) and [UDP](../../internet/UDP.md) traffik.
Example:
```yaml
http:
routers:
my-router:
rule: "Path(`/foo`)"
service: service-foo
```
#### Entrypoints
If not specified, [HTTP](../../internet/HTTP.md) routers will accept requests from all defined entry points. If you want to limit the router scope to a set of entry points, set the entryPoints option.
Listen only to specific entrypoints:
```yaml
http:
routers:
Router-1:
# won't listen to entry point web
entryPoints:
- "websecure"
- "other"
rule: "Host(`example.com`)"
service: "service-1"
```
#### Rules
Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
```yaml
http:
routers:
Router:
rule: "Host(`example.com`)"
```
The table below lists all the available matchers:
| Rule | Description |
| --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Headers(\`key\`, \`value\`) | Check if there is a key `key` defined in the headers, with the value `value` |
| HeadersRegexp(\`key\`, \`regexp\`) | Check if there is a key `key` defined in the headers, with a value that matches the [regular expression](../../tools/Regex.md) `regexp` |
| Host(\`example.com\`, ...) | Check if the request [domain](../../internet/Domain.md) (host header value) targets one of the given `domains`. |
| HostRegexp(\`example.com\`, \`{subdomain:\[a-z]+}.example.com\`, ...) | Match the request [domain](../../internet/Domain.md) |
| Method(\`GET\`, ...) | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`, `HEAD`) |
| Path(\`/path\`, \`/articles/{cat:\[a-z]+}/{id:\[0-9]+}\`, ...) | Match exact request path |
| PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`) | Match request prefix path |
| Query(\`foo=bar\`, \`bar=baz\`) | Match Query String parameters. It accepts a sequence of `key=value` pairs. |
| ClientIP(\`10.0.0.0/16\`, \`::1\`) | Match if the request client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats. |
#### Middlewares
You can attach a list of middlewares to each [HTTP](../../internet/HTTP.md) router. The middlewares will take effect only if the rule matches, and before forwarding the request to the service.
```yaml
http:
routers:
my-router:
rule: "Path(`/foo`)"
middlewares:
- authentication
service: service-foo
```
#### Service
Each request must eventually be handled by a service, which is why each router definition should include a service target, which is basically where the request will be passed along to.
In general, a service assigned to a router should have been defined, but there are exceptions for label-based providers.
### TLS
When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore [HTTP](../../internet/HTTP.md) (non TLS) requests). Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services).
```yaml
http:
routers:
Router-1:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
# will terminate the TLS request
tls: {}
```
- `certResolver`
If `certResolver` is defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules.
```yaml
http:
routers:
routerfoo:
rule: "Host(`snitest.com`) && Path(`/foo`)"
tls:
certResolver: foo
```
- `domains`
You can set SANs (alternative domains) for each main [domain](../../internet/Domain.md). Every [domain](../../internet/Domain.md) must have A/AAAA records pointing to Traefik. Each [domain](../../internet/Domain.md) & SAN will lead to a certificate request.
```yaml
http:
routers:
routerbar:
rule: "Host(`snitest.com`) && Path(`/bar`)"
tls:
certResolver: "bar"
domains:
- main: "snitest.com"
sans:
- "*.snitest.com"
```
### Services
The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
Example:
```yaml
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://<private-ip-server-1>:<private-port-server-1>/"
- url: "http://<private-ip-server-2>:<private-port-server-2>/"
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "<private-ip-server-1>:<private-port-server-1>"
- address: "<private-ip-server-2>:<private-port-server-2>"
```
#### Load Balancing
Traefik can load balance across multiple servers with the `loadBalancer.servers` list.
```yaml
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://server1:8080"
- url: "http://server2:8080
```
#### Servers Transport
`serversTransport` allows to reference a ServersTransport configuration for the communication between Traefik and your servers.
```yaml
http:
services:
Service01:
loadBalancer:
serversTransport: mytransport
```
Define a serverTransport configuration:
```yaml
http:
serversTransports:
mytransport:
```
You can define root CAs used for verifying SSL between traefik and your servers:
```yaml
http:
serversTransports:
mytransport:
rootCAs:
- foo.crt
- bar.crt
```
Or skip SSL verification:
```yaml
http:
serversTransports:
mytransport:
insecureSkipVerify: true
```
### TLS
Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection (and its underlying certificates).
Traefik requires you to define "Certificate Resolvers" in the static configuration, which are responsible for retrieving certificates from an ACME server.
```yaml
certificatesResolvers:
myresolver:
# Enable ACME (Let's Encrypt): automatic SSL.
acme:
email: "test@example.com"
# File or key used for certificates storage.
storage: "acme.json"
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
#
# Optional
# Default: 2160
#
certificatesDuration: 2160
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
tlsChallenge:
# Use a HTTP-01 ACME challenge.
#
# Optional
#
httpChallenge:
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
entryPoint: web
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
dnsChallenge:
# DNS provider used.
#
# Required
#
provider: digitalocean
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
delayBeforeCheck: 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
resolvers
- "1.1.1.1:53"
- "8.8.8.8:53"
```
### Middlewares
Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
```yaml
http:
routers:
router1:
service: myService
middlewares:
- "foo-add-prefix"
rule: "Host(`example.com`)"
middlewares:
foo-add-prefix:
addPrefix:
prefix: "/foo"
services:
service1:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
```
#### [HTTP](../../internet/HTTP.md) Middlewares
##### Add Prefix
The AddPrefix middleware updates the path of a request before forwarding it. So `http://domain/path` would be `http://domain/prefix/path` if used.
```yaml
http:
middlewares:
add-foo:
addPrefix:
prefix: "/prefix"
```
##### BasicAuth
The BasicAuth middleware grants access to services to authorized users only.
- `users`
The `users` option is an array of authorized users. Each user must be declared using the name:hashed-password format.
```yaml
http:
middlewares:
test-auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
- `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
```yaml
http:
middlewares:
test-auth:
basicAuth:
usersFile: "/path/to/my/usersfile"
```
- `headerField`
You can define a header field to store the authenticated user using the `headerFieldoption`.
```yaml
http:
middlewares:
my-auth:
basicAuth:
# ...
headerField: "X-WebAuth-User"
```
- `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
##### Compress
Compress Responses before Sending them to the Client. The Compress middleware uses gzip compression.
- `excludedContentTypes` specifies a list of content types to compare the Content-Type header of the incoming requests and responses before compressing. The responses with content types defined in `excludedContentTypes` are not compressed.
- `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed. The default value is 1024, which should be a reasonable value for most cases.
```yaml
http:
middlewares:
test-compress:
compress:
excludedContentTypes:
- text/event-stream
minResponseBodyBytes: 1200
```
##### ContentType
The Content-Type middleware - or rather its `autoDetect` option - specifies whether to let the Content-Type header, if it has not been defined by the backend, be automatically set to a value derived from the contents of the response.
```yaml
http:
middlewares:
autodetect:
contentType:
autoDetect: true
```
##### DigestAuth
Adding Digest Authentication. The configuration options are the same as BasicAuth middleware.
```yaml
http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
##### Errors
The Errors middleware returns a custom page in lieu of the default, according to configured ranges of [HTTP](../../internet/HTTP.md) Status codes.
```yaml
http:
middlewares:
test-errors:
errors:
status:
- "500"
- "501"
- "503"
- "505-599"
service: serviceError
query: "/{status}.html"
```
- `status`
The status option defines which status or range of statuses should result in an error page.
The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).
- `service`
The service that will serve the new requested error page.
- `query`
The [URL](../../internet/URL.md) for the error page (hosted by `service`).
There are multiple variables that can be placed in the query option to insert values in the [URL](../../internet/URL.md).
The table below lists all the available variables and their associated values.
| Variable | Value |
| ---------- | ------------------------- |
| `{status}` | The response status code. |
| `{url}` | The escaped request [URL](../../internet/URL.md). |
##### ForwardAuth
The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
```
###### Forward-Request Headers
The following request properties are provided to the forward-auth target endpoint as X-Forwarded- headers:
| Property | Forward-Request Header |
| ----------------- | ---------------------- |
| [HTTP](../../internet/HTTP.md) Method | `X-Forwarded-Method` |
| Protocol | `X-Forwarded-Proto` |
| Host | `X-Forwarded-Host` |
| Request URI | `X-Forwarded-Uri` |
| Source IP-Address | `X-Forwarded-For` |
- `address`:
The `address` option defines the authentication server address.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
```
- `trustForwardHeader`
Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
trustForwardHeader: true
```
- `authResponseHeaders`
The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
authResponseHeaders:
- "X-Auth-User"
- "X-Secret"
```
- `authResponseHeadersRegex`
The `authResponseHeadersRegex` option is the [regex](../../tools/Regex.md) to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the [regex](../../tools/Regex.md).
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
authResponseHeadersRegex: "^X-"
```
- `authRequestHeaders`
The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server. It allows filtering headers that should not be passed to the authentication server. If not set or empty then all request headers are passed.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
authRequestHeaders:
- "Accept"
- "X-CustomHeader"
```
- `tls`
Defines the TLS configuration used for the secure connection to the authentication server.
```yaml
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
tls:
# CA used for SSL
ca: "path/to/local.crt"
# Skip SSL
insecureSkipVerify: true
```
##### Headers
Managing Request/Response headers
```yaml
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "test"
customResponseHeaders:
X-Custom-Response-Header: "value"
```
- Add/Remove Headers
```yaml
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "test" # Adds
X-Custom-Request-Header: "" # Removes
customResponseHeaders:
X-Custom-Response-Header: "" # Removes
```
- CORS Headers
```yaml
http:
middlewares:
testHeader:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlAllowHeaders: "*"
accessControlAllowOriginList:
- https://foo.bar.org
- https://example.org
accessControlMaxAge: 100
addVaryHeader: true
```
##### IPWhiteList
Limiting Clients to Specific IPs
IPWhitelist accepts / refuses requests based on the client IP.
```yaml
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
```
##### Ratelimit
The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
It is based on a token bucket implementation. In this analogy, the average parameter (defined below) is the rate at which the bucket refills, and the burst is the size (volume) of the bucket.
```yaml
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
burst: 50
```
- `average`
`average` is the maximum rate, by default in requests per second, allowed from a given source.
It defaults to `0`, which means no rate limiting.
The rate is actually defined by dividing `average` by `period`.
- `period`
`period`, in combination with `average`, defines the actual maximum rate.
It defaults to `1` second.
- `burst`
`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time. It defaults to `1`.
You can exclude IPs from rate limiting:
```yaml
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
```
##### RedirectScheme
The RedirectScheme middleware redirects the request if the request scheme is different from the configured scheme.
```yaml
http:
middlewares:
test-redirectscheme:
redirectScheme:
scheme: https
permanent: true
```
##### RedirectRegex
The RedirectRegex redirects a request using [regex](../../tools/Regex.md) matching and replacement.
```yaml
http:
middlewares:
test-redirectregex:
redirectRegex:
regex: "^http://localhost/(.*)"
replacement: "http://mydomain/${1}"
```
##### ReplacePath
The ReplacePath middleware will:
- replace the actual path with the specified one.
- store the original path in a `X-Replaced-Path` header.
```yaml
http:
middlewares:
test-replacepath:
replacePath:
path: "/foo"
```
##### ReplacePathRegex
The ReplacePathRegex middleware will:
- replace the matching path with the specified one.
- store the original path in a `X-Replaced-Path` header.
```yaml
http:
middlewares:
test-replacepathregex:
replacePathRegex:
regex: "^/foo/(.*)"
replacement: "/bar/$1"
```
##### Retry
The Retry middleware reissues requests a given number of times to a backend server if that server does not reply. As soon as the server answers, the middleware stops retrying, regardless of the response status. The Retry middleware has an optional configuration to enable an exponential backoff.
```yaml
http:
middlewares:
test-retry:
retry:
attempts: 4
initialInterval: 100ms
```
##### StripPrefix
Remove the specified prefixes from the [URL](../../internet/URL.md) path.
```yaml
http:
middlewares:
test-stripprefix:
stripPrefix:
prefixes:
- "/foobar"
- "/fiibar"
```
##### StripPrefixRegex
Remove the matching prefixes from the [URL](../../internet/URL.md) path.
```yaml
http:
middlewares:
test-stripprefixregex:
stripPrefixRegex:
regex:
- "/foo/[a-z0-9]+/[0-9]+/"
```
### Access log
Access logs allow you to keep track of what request are made to your server.
To enable the access logs:
```yaml
accessLog: {}
```
- `filePath`:
By default access logs are written to the standard output. To write the logs into a log file, use the `filePath` option.
```yaml
accessLog:
filePath: "/path/to/access.log"
```
- `format`:
By default, logs are written using the Common Log Format (CLF). To write logs in [JSON](../../files/JSON.md), use `json` in the `format` option. If the given format is unsupported, the default (CLF) is used instead.
> Common Log Format
> ```
><remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>m
>```
- `bufferingSize`
To write the logs in an asynchronous fashion, specify a `bufferingSize` option. This option represents the number of log lines Traefik will keep in memory before writing them to the selected output. In some cases, this option can greatly help performances.
```yaml
# Configuring a buffer of 100 lines
accessLog:
filePath: "/path/to/access.log"
bufferingSize: 100
```
#### Filtering
To filter logs, you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one.
The available filters are:
- `statusCodes`, to limit the access logs to requests with a status codes in the specified range
- `retryAttempts`, to keep the access logs when at least one retry has happened
- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format)
```yaml
# Configuring Multiple Filters
accessLog:
filePath: "/path/to/access.log"
format: json
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
```
##### Limiting the Fields/Including Headers
You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.headers` options.
Each field can be set to:
- `keep` to keep the value
- `drop` to drop the value
- `redact` to replace the value with "redacted"
The `defaultMode` for `fields.names` is `keep`.
The `defaultMode` for `fields.headers` is `drop`.
```yaml
# Limiting the Logs to Specific Fields
accessLog:
filePath: "/path/to/access.log"
format: json
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keep
```

6
technology/applications/web/zigbee2mqtt.md Normal file
View file

@ -0,0 +1,6 @@
---
obj: application
---
# zigbee2mqtt
#wip #🐇 #add-repo #add-website