Add some configs

2025-02-03 10:16:10 +02:00
parent d5ba06fb78
commit 8d217a76c5
50 changed files with 1317 additions and 0 deletions
--- a/config/docker/current/traefik/config/mw-authelia.yml
+++ b/config/docker/current/traefik/config/mw-authelia.yml
@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
--- a/config/docker/current/traefik/config/mw-basic-auth.yml
+++ b/config/docker/current/traefik/config/mw-basic-auth.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
+        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"
--- a/config/docker/current/traefik/config/mw-chain-authelia.yml
+++ b/config/docker/current/traefik/config/mw-chain-authelia.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:        
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authelia
--- a/config/docker/current/traefik/config/mw-chain-basic-auth.yml
+++ b/config/docker/current/traefik/config/mw-chain-basic-auth.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth
--- a/config/docker/current/traefik/config/mw-chain-no-auth.yml
+++ b/config/docker/current/traefik/config/mw-chain-no-auth.yml
@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-crowdsec-bouncer
+          - middlewares-default-whitelist
+          - middlewares-rate-limit
+          - middlewares-secure-headers
--- a/config/docker/current/traefik/config/mw-chain-oauth.yml
+++ b/config/docker/current/traefik/config/mw-chain-oauth.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-oauth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-oauth
--- a/config/docker/current/traefik/config/mw-crowdsec-bouncer.yml
+++ b/config/docker/current/traefik/config/mw-crowdsec-bouncer.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:    
+    middlewares-crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true
--- a/config/docker/current/traefik/config/mw-default-whitelist.yml
+++ b/config/docker/current/traefik/config/mw-default-whitelist.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-default-whitelist:
+      ipWhiteList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
--- a/config/docker/current/traefik/config/mw-rate-limit.yml
+++ b/config/docker/current/traefik/config/mw-rate-limit.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
--- a/config/docker/current/traefik/config/mw-secure-headers.yml
+++ b/config/docker/current/traefik/config/mw-secure-headers.yml
@@ -0,0 +1,31 @@
+http:
+  middlewares:
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "example.com"
+        referrerPolicy: "same-origin"
+        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
+        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          
--- a/config/docker/current/traefik/config/tls-opts.yml
+++ b/config/docker/current/traefik/config/tls-opts.yml
@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true