http:

  ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
  #routers:
  #  homeassistant:
  #    entryPoints:
  #      - https
  #      - http
  #    rule: 'Host(`ha.example.com`)'
  #    service: homeassistant
  #    middlewares:
  #      - "local-ipwhitelist@file"

  #  pve:
  #    entryPoints:
  #      - https
  #      - http
  #    rule: 'Host(`pve.example.com`)'
  #    service: pve
  #    middlewares:
  #      - "local-ipwhitelist@file"

  ## SERVICES EXAMPLE ##
  #services:
  #  homeassistant:
  #    loadBalancer:
  #      serversTransport: insecureTransport
  #      servers:
  #        - url: http://192.168.1.10:8123

  #  pve:
  #    loadBalancer:
  #      serversTransport: insecureTransport
  #      servers:
  #        - url: https://192.168.1.20:8006

  # allow self-signed certificates for proxied web services
  serversTransports:
    insecureTransport:
      insecureSkipVerify: true

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipAllowList:
        sourceRange:
          - 127.0.0.1/32 # localhost
          - 10.0.0.0/8 # private class A
          - 172.16.0.0/12 # private class B
          - 192.168.0.0/16 # private class C
        #ipstrategy: # enable this when cloudflare proxy in use
        #  depth: 1 # enable this when cloudflare proxy in use

    # Security headers
    security-headers:
      headers:
        customResponseHeaders: # field names are case-insensitive
          #X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex"
          Server: "" # prevent version disclosure
          X-Powered-By: "" # prevent version disclosure
          X-Forwarded-Proto: "https"
          #Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
          #Cross-Origin-Embedder-Policy: "unsafe-none"
          #Cross-Origin-Opener-Policy: "same-origin"
          #Cross-Origin-Resource-Policy: "same-site"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        contentTypeNosniff: true # X-Content-Type-Options
        customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
        browserXssFilter: false # X-XSS-Protection; deprecated
        referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
        forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)
        stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
        stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
        stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
        #contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP)

    # Authelia guard
    #authelia:
    #  forwardauth:
    #    address: http://authelia:9091/api/authz/forward-auth # replace example.com with your domain name
    #    trustForwardHeader: true
    #    authResponseHeaders:
    #      - Remote-User
    #      - Remote-Groups
    #      - Remote-Name
    #      - Remote-Email

    #crowdsec:
    #  plugin:
    #    bouncer:
    #      enabled: true
    #      defaultDecisionSeconds: 60
    #      crowdsecMode: live
    #      crowdsecAppsecEnabled: false
    #      crowdsecAppsecHost: crowdsec:7422
    #      crowdsecAppsecFailureBlock: true
    #      crowdsecAppsecUnreachableBlock: true
    #      crowdsecLapiKey: FIXME-LAPI-KEY # <--- replace this later
    #      crowdsecLapiHost: crowdsec:8080
    #      crowdsecLapiScheme: http
    #      crowdsecLapiTLSInsecureVerify: false
    #      forwardedHeadersTrustedIPs:
    #        # private class ranges
    #        - 10.0.0.0/8
    #        - 172.16.0.0/12
    #        - 192.168.0.0/16
    #        ## cloudflare ipv4
    #        #- 103.21.244.0/22
    #        #- 103.22.200.0/22
    #        #- 103.31.4.0/22
    #        #- 104.16.0.0/13
    #        #- 104.24.0.0/14
    #        #- 108.162.192.0/18
    #        #- 131.0.72.0/22
    #        #- 141.101.64.0/18
    #        #- 162.158.0.0/15
    #        #- 172.64.0.0/13
    #        #- 173.245.48.0/20
    #        #- 188.114.96.0/20
    #        #- 190.93.240.0/20
    #        #- 197.234.240.0/22
    #        #- 198.41.128.0/17
    #        ## cloudflare ipv6
    #        #- 2400:cb00::/32
    #        #- 2606:4700::/32
    #        #- 2803:f800::/32
    #        #- 2405:b500::/32
    #        #- 2405:8100::/32
    #        #- 2a06:98c0::/29
    #        #- 2c0f:f248::/32
    #      clientTrustedIPs:
    #        # private class ranges
    #        - 10.0.0.0/8
    #        - 172.16.0.0/12
    #        - 192.168.0.0/16

    # rate limiting
    rate-limit:
      rateLimit:
        average: 100
        period: 1
        burst: 100

    # basic auth popup
    basic-auth:
      basicAuth:
        # https://hostingcanada.org/htpasswd-generator/
        users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password

# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
tls:
  options:
    default:
      #sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305