Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

Traefik config

Browse Source
This commit is contained in:
Gurulandia
2025-03-05 10:00:59 +02:00
parent 9d0dd4bdcf
commit 6e9e27110d
27 changed files with 1175477 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
config/docker/current/traefik/config/mw-authelia.yaml
View File

@@ -1,9 +0,0 @@
http:
middlewares:
middlewares-authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"

19
config/docker/current/traefik/config/mw-authentik.yaml Normal file
View File

@@ -0,0 +1,19 @@
http:
middlewares:
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

2
config/docker/current/traefik/config/mw-basic-auth.yaml
View File

@@ -5,4 +5,4 @@ http:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"
realm: "Traefik 3 Basic Auth"

18
config/docker/current/traefik/config/mw-buffering.yaml Normal file
View File

@@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

5
config/docker/current/traefik/config/mw-chain-authelia.yaml → config/docker/current/traefik/config/mw-chain-authentik.yaml
View File

@@ -1,8 +1,9 @@
http:
middlewares:
chain-authelia:
chain-authentik:
chain:
middlewares:
# - middlewares-crowdsec-bouncer
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-authelia
- middlewares-authentik

1
config/docker/current/traefik/config/mw-chain-no-auth.yaml
View File

@@ -3,7 +3,6 @@ http:
chain-no-auth:
chain:
middlewares:
- middlewares-crowdsec-bouncer
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

8
config/docker/current/traefik/config/mw-chain-oauth.yaml
View File

@@ -1,8 +0,0 @@
http:
middlewares:
chain-oauth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-oauth

12
config/docker/current/traefik/config/mw-compress.yaml Normal file
View File

@@ -0,0 +1,12 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
middlewares-compress:
compress: {}

15
config/docker/current/traefik/config/mw-https-redirectscheme.yaml Normal file
View File

@@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

29
config/docker/current/traefik/config/mw-secure-headers.yaml
View File

@@ -1,5 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
@@ -9,23 +19,20 @@ http:
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
#customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "example.com"
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
# permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
# server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
X-Forwarded-Proto: "https"

22
config/docker/current/traefik/config/tls-opts.yaml
View File

@@ -1,6 +1,21 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
@@ -14,6 +29,7 @@ tls:
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13