Compose-Examples/examples/traefik/fileConfig.yml

http:

  ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
  #routers:
  #  homeassistant:
  #    entryPoints:
  #      - https
  #      - http
  #    rule: 'Host(`ha.example.com`)'
  #    service: homeassistant
  #    middlewares:
  #      - "local-ipwhitelist@file"

  #  pve:
  #    entryPoints:
  #      - https
  #      - http
  #    rule: 'Host(`pve.example.com`)'
  #    service: pve
  #    middlewares:
  #      - "local-ipwhitelist@file"

  ## SERVICES EXAMPLE ##
  #services:
  #  homeassistant:
  #    loadBalancer:
  #      serversTransport: insecureTransport
  #      servers:
  #        - url: http://192.168.1.10:8123

  #  pve:
  #    loadBalancer:
  #      serversTransport: insecureTransport
  #      servers:
  #        - url: https://192.168.1.20:8006

  # allow self-signed certificates for proxied web services
  serversTransports:
    insecureTransport:
      insecureSkipVerify: true

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - 127.0.0.1/32 # localhost
          - 10.0.0.0/8 # private class A
          - 172.16.0.0/12 # private class B
          - 192.168.0.0/16 # private class C

    # Security headers
    security-headers:
      headers:
        customResponseHeaders: # field names are case-insensitive
          #X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex"
          Server: "" # prevent version disclosure
          X-Powered-By: "" # prevent version disclosure
          X-Forwarded-Proto: "https"
          #Permissions-Policy: "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), gyroscope=(self), microphone=(self)"
          #Cross-Origin-Embedder-Policy: "unsafe-none"
          #Cross-Origin-Opener-Policy: "same-origin"
          #Cross-Origin-Resource-Policy: "same-site"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        contentTypeNosniff: true # X-Content-Type-Options
        customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
        browserXssFilter: false # X-XSS-Protection; deprecated
        referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
        forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)
        stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
        stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
        stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
        #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP)

    # Authelia guard
    authelia:
      forwardauth:
        address: http://authelia:9091/api/verify?rd=https://auth.example.com/  # replace example.com with your domain name
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # rate limiting
    rate-limit:
      rateLimit:
        average: 100
        period: 1
        burst: 100

    # basic auth popup
    basic-auth:
      basicAuth:
        # https://hostingcanada.org/htpasswd-generator/
        users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password

# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
clean commit 2023-02-15 21:45:31 +00:00			`http:`

			`## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##`
			`#routers:`
			`# homeassistant:`
			`# entryPoints:`
			`# - https`
			`# - http`
			# rule: 'Host(`ha.example.com`)'
			`# service: homeassistant`
			`# middlewares:`
			`# - "local-ipwhitelist@file"`

			`# pve:`
			`# entryPoints:`
			`# - https`
			`# - http`
			# rule: 'Host(`pve.example.com`)'
			`# service: pve`
			`# middlewares:`
			`# - "local-ipwhitelist@file"`

			`## SERVICES EXAMPLE ##`
			`#services:`
			`# homeassistant:`
			`# loadBalancer:`
			`# serversTransport: insecureTransport`
			`# servers:`
			`# - url: http://192.168.1.10:8123`

			`# pve:`
			`# loadBalancer:`
			`# serversTransport: insecureTransport`
			`# servers:`
			`# - url: https://192.168.1.20:8006`

			`# allow self-signed certificates for proxied web services`
			`serversTransports:`
			`insecureTransport:`
			`insecureSkipVerify: true`

			`## MIDDLEWARES ##`
			`middlewares:`
			`# Only Allow Local networks`
			`local-ipwhitelist:`
			`ipWhiteList:`
add authelia 2023-03-01 23:37:37 +00:00			`sourceRange:`
clean commit 2023-02-15 21:45:31 +00:00			`- 127.0.0.1/32 # localhost`
			`- 10.0.0.0/8 # private class A`
			`- 172.16.0.0/12 # private class B`
			`- 192.168.0.0/16 # private class C`

			`# Security headers`
			`security-headers:`
			`headers:`
			`customResponseHeaders: # field names are case-insensitive`
Update fileConfig.yml make x-robot optional 2023-07-30 08:18:37 +00:00			`#X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex"`
clean commit 2023-02-15 21:45:31 +00:00			`Server: "" # prevent version disclosure`
			`X-Powered-By: "" # prevent version disclosure`
			`X-Forwarded-Proto: "https"`
Update fileConfig.yml 2023-02-17 19:06:13 +00:00			`#Permissions-Policy: "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), gyroscope=(self), microphone=(self)"`
			`#Cross-Origin-Embedder-Policy: "unsafe-none"`
			`#Cross-Origin-Opener-Policy: "same-origin"`
			`#Cross-Origin-Resource-Policy: "same-site"`
clean commit 2023-02-15 21:45:31 +00:00			`sslProxyHeaders:`
			`X-Forwarded-Proto: "https"`
			`hostsProxyHeaders:`
			`- "X-Forwarded-Host"`
			`customRequestHeaders:`
			`X-Forwarded-Proto: "https"`
			`contentTypeNosniff: true # X-Content-Type-Options`
			`customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options`
			`browserXssFilter: false # X-XSS-Protection; deprecated`
			`referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy`
			`forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)`
			`stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)`
			`stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)`
			`stsPreload: true # HTTP-Strict-Transport-Security (HSTS)`
			`#contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP)`
add authelia 2023-03-01 23:37:37 +00:00
			`# Authelia guard`
			`authelia:`
			`forwardauth:`
			`address: http://authelia:9091/api/verify?rd=https://auth.example.com/ # replace example.com with your domain name`
			`trustForwardHeader: true`
			`authResponseHeaders:`
			`- Remote-User`
			`- Remote-Groups`
			`- Remote-Name`
			`- Remote-Email`

clean commit 2023-02-15 21:45:31 +00:00			`# rate limiting`
			`rate-limit:`
			`rateLimit:`
			`average: 100`
			`period: 1`
			`burst: 100`

			`# basic auth popup`
			`basic-auth:`
			`basicAuth:`
			`# https://hostingcanada.org/htpasswd-generator/`
			`users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password`

			`# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6`
			`tls:`
			`options:`
			`default:`
			`minVersion: VersionTLS12`
			`cipherSuites:`
			`- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
			`- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
			`- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
			`- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
			`- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`
			`- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`