-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathmiddlewares.yml
126 lines (110 loc) · 4.37 KB
/
middlewares.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
---
## DYNAMIC CONFIGURATION
http:
middlewares:
security:
chain:
middlewares:
- HSTS-headers
- security-headers
management:
chain:
middlewares:
- security
- low-rateLimit
- noindex-page-headers
# - authelia-forwardAuth@docker
# http(s)://(www.) to https://
redirect-to-https:
# redirectScheme:
# scheme: https
# permanent: true
# port: '{{ env "HTTPS_PORT" }}'
redirectRegex:
regex: "^https?://(?:www\\.)?(.+)"
replacement: "https://${1}"
permanent: true
low-rateLimit:
rateLimit:
average: 100
period: 10s
burst: 50
sourceCriterion:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
# requestHeaderName: X-Real-Ip
# requestHost: true
with-compress:
compress:
excludedContentTypes:
- text/event-stream
autodetect-contentType:
contentType:
autoDetect: false
digestAuth:
digestAuth:
removeHeader: true
users:
# htdigest -c file traefik admin
- "admin:traefik:9d62c6a44cd9a4ac3e1f5658db57fa54" # admin:@#1234-app
known-ipWhiteList:
ipWhiteList:
sourceRange:
- "{{ env "TRAEFIK_WHITELIST_IP_DASHBOARD" }}"
docker-known-ips:
ipWhiteList:
sourceRange:
- "172.20.0.0/16"
- "172.25.0.0/16"
# Available Header Options: https://github.com/unrolled/secure#available-options
# A great resource for these headers is your preferred browser's docs. Firefox: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
# https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
# Check headers here, don't include OAuth when checking headers, otherwise you are checking google's headers: https://securityheaders.com
# or check them here: https://observatory.mozilla.org/
security-headers:
# Replaces the headers in NGINX in the file ./nginx/configs/nginx.d/10-security-headers.conf or any other header
headers:
sslRedirect: true
sslProxyHeaders:
X-Forwarded-Proto: https
hostsProxyHeaders:
- X-Forwarded-Host
browserXssFilter: true
contentTypeNosniff: true
referrerPolicy: same-origin
customFrameOptionsValue: SAMEORIGIN
# ContentSecurityPolicy: "default-src * 'self' https: data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; upgrade-insecure-requests;"
featurePolicy: >-
camera 'none'; geolocation 'none'; microphone 'none'; payment 'none';
usb 'none'; midi 'none'; fullscreen 'self';
customResponseHeaders:
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
HSTS-headers:
headers:
# HSTS
stsPreload: true
forceSTSHeader: true
stsSeconds: 31536000
stsIncludeSubdomains: true
noindex-page-headers:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
cors-headers:
headers:
sslRedirect: true
accessControlAllowCredentials: true
accessControlMaxAge: 100
addVaryHeader: true
accessControlAllowMethods:
- GET
# - PUT
# - OPTION
# - POST
# - DELETE
accessControlAllowOriginList:
- "https://{{ env "DOMAIN" }}"
accessControlAllowHeaders:
- "*"