--- apiVersion: v1 kind: ConfigMap metadata: name: traefik-files data: traefik-middlewares.yaml: | http: middlewares: compress: compress: excludedContentTypes: ["text/event-stream"] rate-limit: rateLimit: average: 100 burst: 50 security_headers: headers: # accessControlAllowMethods: ["GET", "OPTIONS", "PUT"] # accessControlAllowOrigin: "origin-list-or-null" # accessControlMaxAge: 100 # addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true frameDeny: true stsIncludeSubdomains: true stsPreload: true customFrameOptionsValue: "SAMEORIGIN" referrerPolicy: "same-origin" featurePolicy: "vibrate 'self'" stsSeconds: 315360000 sslRedirect: true contentSecurityPolicy: "default-src 'self' 'unsafe-inline'" # customResponseHeaders: # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # server: "" {% if ingress_whitelist is defined %} traefik-ipwhitelist: ipWhiteList: sourceRange: {% for acl_whitelist in ingress_whitelist %} - {{ acl_whitelist }} {% endfor %} {% endif %} {% if basic_auth|bool %} basic-auth: basicAuth: removeHeader: true usersFile: "/etc/traefik/basic-auth/basic_auth" # users: # - {{ basic_auth_data }} {% endif %} {% if false %} authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authReponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"] {% endif %} traefik-tls-defaults-options.yaml: | tls: options: default: sniStrict: true minVersion: VersionTLS12 curvePreferences: - CurveP521 - CurveP384 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 {% if false %} stores: default: defaultCertificate: certFile: path/to/wildcardcert.crt keyFile: path/to/wildcardcert.key certificates: - certFile: /path/to/domain.cert keyFile: /path/to/domain.key - certFile: /path/to/other-domain.cert keyFile: /path/to/other-domain.key {% endif %}