Compose-Examples/examples/traefik/fileConfig.yml
2024-10-22 04:20:02 +02:00

171 lines
6.0 KiB
YAML

http:
## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
#routers:
# homeassistant:
# entryPoints:
# - https
# - http
# rule: 'Host(`ha.example.com`)'
# service: homeassistant
# middlewares:
# - "local-ipwhitelist@file"
# pve:
# entryPoints:
# - https
# - http
# rule: 'Host(`pve.example.com`)'
# service: pve
# middlewares:
# - "local-ipwhitelist@file"
## SERVICES EXAMPLE ##
#services:
# homeassistant:
# loadBalancer:
# serversTransport: insecureTransport
# servers:
# - url: http://192.168.1.10:8123
# pve:
# loadBalancer:
# serversTransport: insecureTransport
# servers:
# - url: https://192.168.1.20:8006
# allow self-signed certificates for proxied web services
serversTransports:
insecureTransport:
insecureSkipVerify: true
## MIDDLEWARES ##
middlewares:
# Only Allow Local networks
local-ipwhitelist:
ipAllowList:
sourceRange:
- 127.0.0.1/32 # localhost
- 10.0.0.0/8 # private class A
- 172.16.0.0/12 # private class B
- 192.168.0.0/16 # private class C
#ipstrategy: # enable this when cloudflare proxy in use
# depth: 1 # enable this when cloudflare proxy in use
# Security headers
security-headers:
headers:
customResponseHeaders: # field names are case-insensitive
#X-Robots-Tag: "all,noarchive,nosnippet,notranslate,noimageindex"
Server: "" # prevent version disclosure
X-Powered-By: "" # prevent version disclosure
X-Forwarded-Proto: "https"
#Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
#Cross-Origin-Embedder-Policy: "unsafe-none"
#Cross-Origin-Opener-Policy: "same-origin"
#Cross-Origin-Resource-Policy: "same-site"
sslProxyHeaders:
X-Forwarded-Proto: "https"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
contentTypeNosniff: true # X-Content-Type-Options
customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
browserXssFilter: false # X-XSS-Protection; deprecated
referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)
stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
#contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP)
# Authelia guard
#authelia:
# forwardauth:
# address: http://authelia:9091/api/authz/forward-auth # replace example.com with your domain name
# trustForwardHeader: true
# authResponseHeaders:
# - Remote-User
# - Remote-Groups
# - Remote-Name
# - Remote-Email
#crowdsec:
# plugin:
# bouncer:
# enabled: true
# updateIntervalSeconds: 60
# updateMaxFailure: 0
# defaultDecisionSeconds: 60
# httpTimeoutSeconds: 10
# crowdsecMode: live
# crowdsecAppsecFailureBlock: true
# crowdsecAppsecUnreachableBlock: true
# crowdsecLapiKey: $CROWDSEC-BOUNCER-API-TOKEN
# crowdsecLapiHost: crowdsec:8080
# crowdsecLapiScheme: http
# crowdsecLapiTLSInsecureVerify: false
# crowdsecCapiScenarios:
# - crowdsecurity/traefik
# - crowdsecurity/http-cve
# - crowdsecurity/appsec-virtual-patching
# - crowdsecurity/appsec-generic-rules
# forwardedHeadersTrustedIPs:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - 103.21.244.0/22
# - 103.22.200.0/22
# - 103.31.4.0/22
# - 104.16.0.0/13
# - 104.24.0.0/14
# - 108.162.192.0/18
# - 131.0.72.0/22
# - 141.101.64.0/18
# - 162.158.0.0/15
# - 172.64.0.0/13
# - 173.245.48.0/20
# - 188.114.96.0/20
# - 190.93.240.0/20
# - 197.234.240.0/22
# - 198.41.128.0/17
# - 2400:cb00::/32
# - 2606:4700::/32
# - 2803:f800::/32
# - 2405:b500::/32
# - 2405:8100::/32
# - 2a06:98c0::/29
# - 2c0f:f248::/32
# clientTrustedIPs:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# rate limiting
rate-limit:
rateLimit:
average: 100
period: 1
burst: 100
# basic auth popup
basic-auth:
basicAuth:
# https://hostingcanada.org/htpasswd-generator/
users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
tls:
options:
default:
#sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305