http: ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ## #routers: # homeassistant: # entryPoints: # - https # - http # rule: 'Host(`ha.example.com`)' # service: homeassistant # middlewares: # - "local-ipwhitelist@file" # pve: # entryPoints: # - https # - http # rule: 'Host(`pve.example.com`)' # service: pve # middlewares: # - "local-ipwhitelist@file" ## SERVICES EXAMPLE ## #services: # homeassistant: # loadBalancer: # serversTransport: insecureTransport # servers: # - url: http://192.168.1.10:8123 # pve: # loadBalancer: # serversTransport: insecureTransport # servers: # - url: https://192.168.1.20:8006 # allow self-signed certificates for proxied web services serversTransports: insecureTransport: insecureSkipVerify: true ## MIDDLEWARES ## middlewares: # Only Allow Local networks local-ipwhitelist: ipAllowList: sourceRange: - 127.0.0.1/32 # localhost - 10.0.0.0/8 # private class A - 172.16.0.0/12 # private class B - 192.168.0.0/16 # private class C #ipstrategy: # enable this when cloudflare proxy in use # depth: 1 # enable this when cloudflare proxy in use # Security headers security-headers: headers: customResponseHeaders: # field names are case-insensitive #X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex" Server: "" # prevent version disclosure X-Powered-By: "" # prevent version disclosure X-Forwarded-Proto: "https" #Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()" #Cross-Origin-Embedder-Policy: "unsafe-none" #Cross-Origin-Opener-Policy: "same-origin" #Cross-Origin-Resource-Policy: "same-site" sslProxyHeaders: X-Forwarded-Proto: "https" hostsProxyHeaders: - "X-Forwarded-Host" customRequestHeaders: X-Forwarded-Proto: "https" contentTypeNosniff: true # X-Content-Type-Options customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options browserXssFilter: false # X-XSS-Protection; deprecated referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS) stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS) stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS) stsPreload: true # HTTP-Strict-Transport-Security (HSTS) #contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP) # Authelia guard #authelia: # forwardauth: # address: http://authelia:9091/api/authz/forward-auth # replace example.com with your domain name # trustForwardHeader: true # authResponseHeaders: # - Remote-User # - Remote-Groups # - Remote-Name # - Remote-Email #crowdsec: # plugin: # bouncer: # enabled: true # updateIntervalSeconds: 60 # updateMaxFailure: 0 # defaultDecisionSeconds: 60 # httpTimeoutSeconds: 10 # crowdsecMode: live # crowdsecAppsecFailureBlock: true # crowdsecAppsecUnreachableBlock: true # crowdsecLapiKey: $CROWDSEC-BOUNCER-API-TOKEN # crowdsecLapiHost: crowdsec:8080 # crowdsecLapiScheme: http # crowdsecLapiTLSInsecureVerify: false # crowdsecCapiScenarios: # - crowdsecurity/traefik # - crowdsecurity/http-cve # - crowdsecurity/appsec-virtual-patching # - crowdsecurity/appsec-generic-rules # forwardedHeadersTrustedIPs: # - 10.0.0.0/8 # - 172.16.0.0/12 # - 192.168.0.0/16 # - 103.21.244.0/22 # - 103.22.200.0/22 # - 103.31.4.0/22 # - 104.16.0.0/13 # - 104.24.0.0/14 # - 108.162.192.0/18 # - 131.0.72.0/22 # - 141.101.64.0/18 # - 162.158.0.0/15 # - 172.64.0.0/13 # - 173.245.48.0/20 # - 188.114.96.0/20 # - 190.93.240.0/20 # - 197.234.240.0/22 # - 198.41.128.0/17 # - 2400:cb00::/32 # - 2606:4700::/32 # - 2803:f800::/32 # - 2405:b500::/32 # - 2405:8100::/32 # - 2a06:98c0::/29 # - 2c0f:f248::/32 # clientTrustedIPs: # - 10.0.0.0/8 # - 172.16.0.0/12 # - 192.168.0.0/16 # rate limiting rate-limit: rateLimit: average: 100 period: 1 burst: 100 # basic auth popup basic-auth: basicAuth: # https://hostingcanada.org/htpasswd-generator/ users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password # Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6 tls: options: default: #sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305