2023-02-15 21:45:31 +00:00
|
|
|
http:
|
|
|
|
|
|
|
|
|
|
## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
|
|
|
|
|
#routers:
|
|
|
|
|
# homeassistant:
|
|
|
|
|
# entryPoints:
|
|
|
|
|
# - https
|
|
|
|
|
# - http
|
|
|
|
|
# rule: 'Host(`ha.example.com`)'
|
|
|
|
|
# service: homeassistant
|
|
|
|
|
# middlewares:
|
|
|
|
|
# - "local-ipwhitelist@file"
|
|
|
|
|
|
|
|
|
|
# pve:
|
|
|
|
|
# entryPoints:
|
|
|
|
|
# - https
|
|
|
|
|
# - http
|
|
|
|
|
# rule: 'Host(`pve.example.com`)'
|
|
|
|
|
# service: pve
|
|
|
|
|
# middlewares:
|
|
|
|
|
# - "local-ipwhitelist@file"
|
|
|
|
|
|
|
|
|
|
## SERVICES EXAMPLE ##
|
|
|
|
|
#services:
|
|
|
|
|
# homeassistant:
|
|
|
|
|
# loadBalancer:
|
|
|
|
|
# serversTransport: insecureTransport
|
|
|
|
|
# servers:
|
|
|
|
|
# - url: http://192.168.1.10:8123
|
|
|
|
|
|
|
|
|
|
# pve:
|
|
|
|
|
# loadBalancer:
|
|
|
|
|
# serversTransport: insecureTransport
|
|
|
|
|
# servers:
|
|
|
|
|
# - url: https://192.168.1.20:8006
|
|
|
|
|
|
|
|
|
|
# allow self-signed certificates for proxied web services
|
|
|
|
|
serversTransports:
|
|
|
|
|
insecureTransport:
|
|
|
|
|
insecureSkipVerify: true
|
|
|
|
|
|
|
|
|
|
## MIDDLEWARES ##
|
|
|
|
|
middlewares:
|
|
|
|
|
# Only Allow Local networks
|
|
|
|
|
local-ipwhitelist:
|
2024-03-16 19:44:14 +00:00
|
|
|
ipAllowList:
|
2023-03-01 23:37:37 +00:00
|
|
|
sourceRange:
|
2023-02-15 21:45:31 +00:00
|
|
|
- 127.0.0.1/32 # localhost
|
|
|
|
|
- 10.0.0.0/8 # private class A
|
|
|
|
|
- 172.16.0.0/12 # private class B
|
|
|
|
|
- 192.168.0.0/16 # private class C
|
2024-03-17 06:39:21 +00:00
|
|
|
#ipstrategy: # enable this when cloudflare proxy in use
|
|
|
|
|
# depth: 1 # enable this when cloudflare proxy in use
|
2023-02-15 21:45:31 +00:00
|
|
|
|
|
|
|
|
# Security headers
|
|
|
|
|
security-headers:
|
|
|
|
|
headers:
|
|
|
|
|
customResponseHeaders: # field names are case-insensitive
|
2023-07-30 08:18:37 +00:00
|
|
|
#X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex"
|
2023-02-15 21:45:31 +00:00
|
|
|
Server: "" # prevent version disclosure
|
|
|
|
|
X-Powered-By: "" # prevent version disclosure
|
|
|
|
|
X-Forwarded-Proto: "https"
|
2024-02-14 16:47:39 +00:00
|
|
|
#Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
|
2023-02-17 19:06:13 +00:00
|
|
|
#Cross-Origin-Embedder-Policy: "unsafe-none"
|
|
|
|
|
#Cross-Origin-Opener-Policy: "same-origin"
|
|
|
|
|
#Cross-Origin-Resource-Policy: "same-site"
|
2023-02-15 21:45:31 +00:00
|
|
|
sslProxyHeaders:
|
|
|
|
|
X-Forwarded-Proto: "https"
|
|
|
|
|
hostsProxyHeaders:
|
|
|
|
|
- "X-Forwarded-Host"
|
|
|
|
|
customRequestHeaders:
|
|
|
|
|
X-Forwarded-Proto: "https"
|
|
|
|
|
contentTypeNosniff: true # X-Content-Type-Options
|
|
|
|
|
customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
|
|
|
|
|
browserXssFilter: false # X-XSS-Protection; deprecated
|
|
|
|
|
referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
|
|
|
|
|
forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)
|
|
|
|
|
stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
|
|
|
|
|
stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
|
|
|
|
|
stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
|
2024-02-14 16:47:39 +00:00
|
|
|
#contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP)
|
2023-03-01 23:37:37 +00:00
|
|
|
|
|
|
|
|
# Authelia guard
|
2024-03-15 20:40:14 +00:00
|
|
|
#authelia:
|
|
|
|
|
# forwardauth:
|
|
|
|
|
# address: http://authelia:9091/api/authz/forward-auth # replace example.com with your domain name
|
|
|
|
|
# trustForwardHeader: true
|
|
|
|
|
# authResponseHeaders:
|
|
|
|
|
# - Remote-User
|
|
|
|
|
# - Remote-Groups
|
|
|
|
|
# - Remote-Name
|
|
|
|
|
# - Remote-Email
|
2023-03-01 23:37:37 +00:00
|
|
|
|
2024-10-22 00:31:44 +00:00
|
|
|
#crowdsec:
|
|
|
|
|
# plugin:
|
|
|
|
|
# bouncer:
|
|
|
|
|
# enabled: true
|
|
|
|
|
# defaultDecisionSeconds: 60
|
|
|
|
|
# crowdsecMode: live
|
2024-10-27 11:48:56 +00:00
|
|
|
# crowdsecAppsecEnabled: false
|
|
|
|
|
# crowdsecAppsecHost: crowdsec:7422
|
2024-10-22 00:31:44 +00:00
|
|
|
# crowdsecAppsecFailureBlock: true
|
|
|
|
|
# crowdsecAppsecUnreachableBlock: true
|
2024-10-22 11:57:55 +00:00
|
|
|
# crowdsecLapiKey: FIXME-LAPI-KEY # <--- replace this later
|
2024-10-22 00:31:44 +00:00
|
|
|
# crowdsecLapiHost: crowdsec:8080
|
|
|
|
|
# crowdsecLapiScheme: http
|
|
|
|
|
# crowdsecLapiTLSInsecureVerify: false
|
|
|
|
|
# forwardedHeadersTrustedIPs:
|
2024-10-22 11:57:55 +00:00
|
|
|
# # private class ranges
|
2024-10-22 00:31:44 +00:00
|
|
|
# - 10.0.0.0/8
|
|
|
|
|
# - 172.16.0.0/12
|
|
|
|
|
# - 192.168.0.0/16
|
2024-10-24 07:30:33 +00:00
|
|
|
# ## cloudflare ipv4
|
|
|
|
|
# #- 103.21.244.0/22
|
|
|
|
|
# #- 103.22.200.0/22
|
|
|
|
|
# #- 103.31.4.0/22
|
|
|
|
|
# #- 104.16.0.0/13
|
|
|
|
|
# #- 104.24.0.0/14
|
|
|
|
|
# #- 108.162.192.0/18
|
|
|
|
|
# #- 131.0.72.0/22
|
|
|
|
|
# #- 141.101.64.0/18
|
|
|
|
|
# #- 162.158.0.0/15
|
|
|
|
|
# #- 172.64.0.0/13
|
|
|
|
|
# #- 173.245.48.0/20
|
|
|
|
|
# #- 188.114.96.0/20
|
|
|
|
|
# #- 190.93.240.0/20
|
|
|
|
|
# #- 197.234.240.0/22
|
|
|
|
|
# #- 198.41.128.0/17
|
|
|
|
|
# ## cloudflare ipv6
|
|
|
|
|
# #- 2400:cb00::/32
|
|
|
|
|
# #- 2606:4700::/32
|
|
|
|
|
# #- 2803:f800::/32
|
|
|
|
|
# #- 2405:b500::/32
|
|
|
|
|
# #- 2405:8100::/32
|
|
|
|
|
# #- 2a06:98c0::/29
|
|
|
|
|
# #- 2c0f:f248::/32
|
2024-10-22 00:31:44 +00:00
|
|
|
# clientTrustedIPs:
|
2024-10-22 11:57:55 +00:00
|
|
|
# # private class ranges
|
2024-10-22 00:31:44 +00:00
|
|
|
# - 10.0.0.0/8
|
|
|
|
|
# - 172.16.0.0/12
|
|
|
|
|
# - 192.168.0.0/16
|
|
|
|
|
|
2023-02-15 21:45:31 +00:00
|
|
|
# rate limiting
|
|
|
|
|
rate-limit:
|
|
|
|
|
rateLimit:
|
|
|
|
|
average: 100
|
|
|
|
|
period: 1
|
|
|
|
|
burst: 100
|
|
|
|
|
|
|
|
|
|
# basic auth popup
|
|
|
|
|
basic-auth:
|
|
|
|
|
basicAuth:
|
|
|
|
|
# https://hostingcanada.org/htpasswd-generator/
|
|
|
|
|
users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password
|
|
|
|
|
|
|
|
|
|
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
|
|
|
|
|
tls:
|
|
|
|
|
options:
|
|
|
|
|
default:
|
2024-03-19 11:56:08 +00:00
|
|
|
#sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking
|
2023-02-15 21:45:31 +00:00
|
|
|
minVersion: VersionTLS12
|
|
|
|
|
cipherSuites:
|
|
|
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
|
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
|
|
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
