add traefik dynamic rules

docker-compose.yml

@@ -11,6 +11,11 @@ services:
       - PUID=$PUID
       - PGID=$PGID
       - TZ=$TZ
+    deploy:
+      resources:
+        limits:
+          cpus: "2.0"
+          memory: 8G
     ports:
       - "127.0.0.1:9999:9999"
     volumes:
@@ -103,10 +108,10 @@ services:
       #   protocol: tcp
       #   mode: host
     volumes:
-      - $DOCKERDIR/traefik/rules/web:/rules # file provider directory
+      - $DOCKERDIR/traefik/rules:/rules # file provider directory
       # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
       - $DOCKERDIR/traefik/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
-      - $DOCKERDIR/logs/traefik:/logs # for fail2ban or crowdsec
+      - $DOCKERDIR/traefik/logs:/logs # for fail2ban or crowdsec
     environment:
       - TZ=$TZ
       - CLOUDFLARE_EMAIL=$CLOUDFLARE_EMAIL

traefik/rules/middlewares-chain.yml

@@ -0,0 +1,74 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-compress
+
+    chain-no-auth-wp:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers-wp
+          - middlewares-compress
+
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-https-redirectscheme
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth
+          - middlewares-compress
+
+    chain-basic-auth-demo:
+      chain:
+        middlewares:
+          - middlewares-https-redirectscheme
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth-demo
+          - middlewares-compress
+
+    chain-oauth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-oauth
+          - middlewares-compress
+
+    chain-oauth-wp:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers-wp
+          - middlewares-oauth
+          - middlewares-compress
+
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-authelia
+          - middlewares-compress
+
+    chain-authelia-wp:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers-wp
+          - middlewares-authelia
+          - middlewares-compress
+
+
+

traefik/rules/middlewares.yml

@@ -0,0 +1,94 @@
+http:
+  middlewares:
+    middlewares-basic-auth-demo:
+      basicAuth:
+        users:
+          - "demo:$apr1$bT0QVgc9$Pb5jPMd5S2Yfa1Hjo1HQk."
+        # usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth Demo"
+
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
+
+    middlewares-https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        # sslRedirect: true #replaced with middlewares-https-redirectscheme for v2.5.x
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_SHB"}}" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "{{env "DOMAINNAME_SHB"}}"
+        referrerPolicy: "same-origin"
+        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
+        # contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_SHB"}}:*';object-src 'none';script-src 'none';"
+        # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy
+        # featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
+          # X-Forwarded-Proto: "https"
+
+    middlewares-secure-headers-wp:
+      headers:
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+
+    middlewares-oauth:
+      forwardAuth:
+        address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Forwarded-User"
+
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_SHB"}}"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+
+    middlewares-compress:
+      compress: {}
+
+
+# Limiting to 10 simultaneous connections.
+# tcp:
+#   middlewares:
+#     test-inflightconn:
+#       inFlightConn:
+#         amount: 20
+
+#     test-ipwhitelist:
+#       ipWhiteList:
+#         sourceRange:
+#           - "127.0.0.1/32"
+#           - "192.168.1.7"

traefik/rules/tls-opts.yml

@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true