--- apiVersion: v1 kind: ConfigMap metadata: name: traefik-files data: traefik-middlewares.yaml: | http: middlewares: min_security: chain: middlewares: - security_headers {% if ingress_whitelist is defined %} - traefik-ipwhitelist {% endif %} - rate-limit - compress {% if false %} {% if basic_auth|bool %} - basic-auth {% endif %} - authelia {% endif %} compress: compress: excludedContentTypes: ["text/event-stream"] rate-limit: rateLimit: average: 100 burst: 50 security_headers: headers: accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] # accessControlAllowOrigin: "origin-list-or-null" accessControlMaxAge: 100 addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true frameDeny: true stsIncludeSubdomains: true stsPreload: true customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" # permissionsPolicy: "vibrate 'self'" permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';" stsSeconds: 315360000 # contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" # customResponseHeaders: # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # server: "" hostsProxyHeaders: - "X-Forwarded-Host" {% if ingress_whitelist is defined %} traefik-ipwhitelist: ipWhiteList: sourceRange: {% for acl_whitelist in ingress_whitelist %} - {{ acl_whitelist }} {% endfor %} {% endif %} {% if traefik_ondemand is defined %} ondemand: plugin: sablier: #group: default dynamic: displayName: Application is starting refreshFrequency: 5s showDetails: "true" theme: hacker-terminal sablierUrl: http://sablier:10000 sessionDuration: 1m {% endif %} {% if basic_auth|bool %} basic-auth: basicAuth: removeHeader: true usersFile: "/etc/traefik/basic-auth/basic_auth" # users: # - {{ basic_auth_data }} {% endif %} authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: - "Remote-User" - "Remote-Groups" - "Remote-Name" - "Remote-Email" authelia-basic: forwardAuth: address: "http://authelia:9091/api/verify?auth=basic" trustForwardHeader: true authResponseHeaders: - "Remote-User" - "Remote-Groups" - "Remote-Name" - "Remote-Email" crowdsec-bouncer: forwardAuth: address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth" trustForwardHeader: true traefik-servers-transport.yaml: | http: serversTransports: skip-verify-https-backend: insecureSkipVerify: true traefik-tls-defaults-options.yaml: | tls: options: default: sniStrict: true minVersion: VersionTLS12 curvePreferences: - CurveP521 - CurveP384 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 alpnProtocols: - h2 - http/1.1 {% if false %} stores: default: defaultCertificate: certFile: path/to/wildcardcert.crt keyFile: path/to/wildcardcert.key certificates: - certFile: /path/to/domain.cert keyFile: /path/to/domain.key - certFile: /path/to/other-domain.cert keyFile: /path/to/other-domain.key {% endif %} # dashboard.yaml: | # http: # routers: # traefik: # rule: "Host(`traefik.{{ domain | lower }}`)" # entryPoints: # - "websecure" # middlewares: # - "min_security@file" #{% if basic_auth|bool %} # - "basic-auth@file" #{% endif %} # service: "api@internal"