-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
194 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
http: | ||
middlewares: | ||
chain-no-auth: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers | ||
- middlewares-compress | ||
|
||
chain-no-auth-wp: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers-wp | ||
- middlewares-compress | ||
|
||
chain-basic-auth: | ||
chain: | ||
middlewares: | ||
- middlewares-https-redirectscheme | ||
- middlewares-rate-limit | ||
- middlewares-secure-headers | ||
- middlewares-basic-auth | ||
- middlewares-compress | ||
|
||
chain-basic-auth-demo: | ||
chain: | ||
middlewares: | ||
- middlewares-https-redirectscheme | ||
- middlewares-rate-limit | ||
- middlewares-secure-headers | ||
- middlewares-basic-auth-demo | ||
- middlewares-compress | ||
|
||
chain-oauth: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers | ||
- middlewares-oauth | ||
- middlewares-compress | ||
|
||
chain-oauth-wp: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers-wp | ||
- middlewares-oauth | ||
- middlewares-compress | ||
|
||
chain-authelia: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers | ||
- middlewares-authelia | ||
- middlewares-compress | ||
|
||
chain-authelia-wp: | ||
chain: | ||
middlewares: | ||
- middlewares-rate-limit | ||
- middlewares-https-redirectscheme | ||
- middlewares-secure-headers-wp | ||
- middlewares-authelia | ||
- middlewares-compress | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
http: | ||
middlewares: | ||
middlewares-basic-auth-demo: | ||
basicAuth: | ||
users: | ||
- "demo:$apr1$bT0QVgc9$Pb5jPMd5S2Yfa1Hjo1HQk." | ||
# usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml | ||
realm: "Traefik 2 Basic Auth Demo" | ||
|
||
middlewares-rate-limit: | ||
rateLimit: | ||
average: 100 | ||
burst: 50 | ||
|
||
middlewares-https-redirectscheme: | ||
redirectScheme: | ||
scheme: https | ||
permanent: true | ||
|
||
middlewares-secure-headers: | ||
headers: | ||
accessControlAllowMethods: | ||
- GET | ||
- OPTIONS | ||
- PUT | ||
accessControlMaxAge: 100 | ||
hostsProxyHeaders: | ||
- "X-Forwarded-Host" | ||
# sslRedirect: true #replaced with middlewares-https-redirectscheme for v2.5.x | ||
stsSeconds: 63072000 | ||
stsIncludeSubdomains: true | ||
stsPreload: true | ||
forceSTSHeader: true | ||
# frameDeny: true #overwritten by customFrameOptionsValue | ||
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_SHB"}}" #CSP takes care of this but may be needed for organizr. | ||
contentTypeNosniff: true | ||
browserXssFilter: true | ||
# sslForceHost: true # add sslHost to all of the services | ||
# sslHost: "{{env "DOMAINNAME_SHB"}}" | ||
referrerPolicy: "same-origin" | ||
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk. | ||
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc. | ||
# contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_SHB"}}:*';object-src 'none';script-src 'none';" | ||
# Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy | ||
# featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" | ||
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" | ||
customResponseHeaders: | ||
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," | ||
server: "" | ||
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732 | ||
# X-Forwarded-Proto: "https" | ||
|
||
middlewares-secure-headers-wp: | ||
headers: | ||
hostsProxyHeaders: | ||
- "X-Forwarded-Host" | ||
stsSeconds: 31536000 | ||
stsIncludeSubdomains: true | ||
stsPreload: true | ||
frameDeny: true | ||
contentTypeNosniff: true | ||
browserXssFilter: true | ||
|
||
middlewares-oauth: | ||
forwardAuth: | ||
address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml | ||
trustForwardHeader: true | ||
authResponseHeaders: | ||
- "X-Forwarded-User" | ||
|
||
middlewares-authelia: | ||
forwardAuth: | ||
address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_SHB"}}" | ||
trustForwardHeader: true | ||
authResponseHeaders: | ||
- "Remote-User" | ||
- "Remote-Groups" | ||
|
||
middlewares-compress: | ||
compress: {} | ||
|
||
|
||
# Limiting to 10 simultaneous connections. | ||
# tcp: | ||
# middlewares: | ||
# test-inflightconn: | ||
# inFlightConn: | ||
# amount: 20 | ||
|
||
# test-ipwhitelist: | ||
# ipWhiteList: | ||
# sourceRange: | ||
# - "127.0.0.1/32" | ||
# - "192.168.1.7" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
tls: | ||
options: | ||
tls-opts: | ||
minVersion: VersionTLS12 | ||
cipherSuites: | ||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ||
- TLS_AES_128_GCM_SHA256 | ||
- TLS_AES_256_GCM_SHA384 | ||
- TLS_CHACHA20_POLY1305_SHA256 | ||
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 | ||
curvePreferences: | ||
- CurveP521 | ||
- CurveP384 | ||
sniStrict: true |