From 00837fb238424e61140153191639c42e6a560605 Mon Sep 17 00:00:00 2001 From: "AB from home.homenet" Date: Sun, 12 Oct 2025 13:16:10 +0300 Subject: [PATCH] Changed syncthing access and auth scheme --- k8s/apps/syncthing/asset-router.yaml | 85 +++++++++++++++++++++++++++ k8s/apps/syncthing/ingress-route.yaml | 38 +++++++++++- k8s/apps/syncthing/kustomization.yaml | 1 + k8s/apps/syncthing/middleware.yaml | 81 ++++++++++++++++++++++++- 4 files changed, 203 insertions(+), 2 deletions(-) create mode 100644 k8s/apps/syncthing/asset-router.yaml diff --git a/k8s/apps/syncthing/asset-router.yaml b/k8s/apps/syncthing/asset-router.yaml new file mode 100644 index 0000000..0bff4c3 --- /dev/null +++ b/k8s/apps/syncthing/asset-router.yaml @@ -0,0 +1,85 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-router-config + namespace: syncthing +data: + default.conf: | + server { + listen 80; + server_name _; + + # Route assets based on cookie or referer + location / { + # Check cookie first + if ($cookie_syncthing_instance = "nas") { + proxy_pass http://syncthing-nas:8384; + } + if ($cookie_syncthing_instance = "master") { + proxy_pass http://syncthing-master:8384; + } + if ($cookie_syncthing_instance = "iris") { + proxy_pass http://syncthing-khv:8384; + } + + # Check referer as fallback + if ($http_referer ~ "/nas") { + proxy_pass http://syncthing-nas:8384; + } + if ($http_referer ~ "/master") { + proxy_pass http://syncthing-master:8384; + } + if ($http_referer ~ "/iris") { + proxy_pass http://syncthing-khv:8384; + } + + # Default to nas if no match + proxy_pass http://syncthing-nas:8384; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: syncthing-router + namespace: syncthing +spec: + replicas: 1 + selector: + matchLabels: + app: syncthing-router + template: + metadata: + labels: + app: syncthing-router + spec: + containers: + - name: nginx + image: nginx:alpine + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /etc/nginx/conf.d + volumes: + - name: config + configMap: + name: nginx-router-config +--- +apiVersion: v1 +kind: Service +metadata: + name: syncthing-router + namespace: syncthing +spec: + selector: + app: syncthing-router + ports: + - protocol: TCP + port: 80 + targetPort: 80 \ No newline at end of file diff --git a/k8s/apps/syncthing/ingress-route.yaml b/k8s/apps/syncthing/ingress-route.yaml index 1b5fe2b..a9a8adc 100644 --- a/k8s/apps/syncthing/ingress-route.yaml +++ b/k8s/apps/syncthing/ingress-route.yaml @@ -7,7 +7,8 @@ spec: entryPoints: - websecure routes: - - match: Host(`ss.hexor.cy`) + # Landing page + - match: Host(`ss.hexor.cy`) && Path(`/`) kind: Rule services: - name: syncthing-landing @@ -15,35 +16,70 @@ spec: middlewares: - name: authentik-forward-auth namespace: syncthing + + # NAS instance and its assets - match: Host(`ss.hexor.cy`) && PathPrefix(`/nas`) kind: Rule + priority: 100 services: - name: syncthing-nas port: 8384 middlewares: - name: authentik-forward-auth namespace: syncthing + - name: syncthing-headers-nas + namespace: syncthing + - name: set-cookie-nas + namespace: syncthing - name: strip-prefix-nas namespace: syncthing + + # Master instance and its assets - match: Host(`ss.hexor.cy`) && PathPrefix(`/master`) kind: Rule + priority: 100 services: - name: syncthing-master port: 8384 middlewares: - name: authentik-forward-auth namespace: syncthing + - name: syncthing-headers-master + namespace: syncthing + - name: set-cookie-master + namespace: syncthing - name: strip-prefix-master namespace: syncthing + + # Iris instance and its assets - match: Host(`ss.hexor.cy`) && PathPrefix(`/iris`) kind: Rule + priority: 100 services: - name: syncthing-khv port: 8384 middlewares: - name: authentik-forward-auth namespace: syncthing + - name: syncthing-headers-iris + namespace: syncthing + - name: set-cookie-iris + namespace: syncthing - name: strip-prefix-iris namespace: syncthing + + # Catch all static assets and route based on referer header + - match: Host(`ss.hexor.cy`) && (PathPrefix(`/vendor`) || PathPrefix(`/theme-assets`) || PathPrefix(`/meta`) || PathPrefix(`/syncthing`)) + kind: Rule + priority: 50 + services: + - name: syncthing-router + namespace: syncthing + port: 80 + middlewares: + - name: authentik-forward-auth + namespace: syncthing + - name: asset-router + namespace: syncthing tls: secretName: syncthing-tls \ No newline at end of file diff --git a/k8s/apps/syncthing/kustomization.yaml b/k8s/apps/syncthing/kustomization.yaml index b0aa069..d29ea1e 100644 --- a/k8s/apps/syncthing/kustomization.yaml +++ b/k8s/apps/syncthing/kustomization.yaml @@ -7,6 +7,7 @@ resources: - ingress-route.yaml - middleware.yaml - landing-page.yaml + - asset-router.yaml helmCharts: - name: syncthing diff --git a/k8s/apps/syncthing/middleware.yaml b/k8s/apps/syncthing/middleware.yaml index 598644d..28b33bc 100644 --- a/k8s/apps/syncthing/middleware.yaml +++ b/k8s/apps/syncthing/middleware.yaml @@ -24,6 +24,7 @@ spec: stripPrefix: prefixes: - /nas + forceSlash: false --- apiVersion: traefik.io/v1alpha1 kind: Middleware @@ -34,6 +35,7 @@ spec: stripPrefix: prefixes: - /master + forceSlash: false --- apiVersion: traefik.io/v1alpha1 kind: Middleware @@ -43,4 +45,81 @@ metadata: spec: stripPrefix: prefixes: - - /iris \ No newline at end of file + - /iris + forceSlash: false +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: syncthing-headers-nas + namespace: syncthing +spec: + headers: + customRequestHeaders: + X-Forwarded-Prefix: "/nas" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: syncthing-headers-master + namespace: syncthing +spec: + headers: + customRequestHeaders: + X-Forwarded-Prefix: "/master" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: syncthing-headers-iris + namespace: syncthing +spec: + headers: + customRequestHeaders: + X-Forwarded-Prefix: "/iris" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: set-cookie-nas + namespace: syncthing +spec: + headers: + customResponseHeaders: + Set-Cookie: "syncthing_instance=nas; Path=/; HttpOnly" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: set-cookie-master + namespace: syncthing +spec: + headers: + customResponseHeaders: + Set-Cookie: "syncthing_instance=master; Path=/; HttpOnly" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: set-cookie-iris + namespace: syncthing +spec: + headers: + customResponseHeaders: + Set-Cookie: "syncthing_instance=iris; Path=/; HttpOnly" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: asset-router + namespace: syncthing +spec: + plugin: + simplerouter: + routes: + - match: Header(`Referer`, `.*\/nas.*`) + service: syncthing-nas + - match: Header(`Referer`, `.*\/master.*`) + service: syncthing-master + - match: Header(`Referer`, `.*\/iris.*`) + service: syncthing-khv \ No newline at end of file