155 lines
4.5 KiB
Django/Jinja
155 lines
4.5 KiB
Django/Jinja
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: traefik-files
|
|
data:
|
|
traefik-middlewares.yaml: |
|
|
http:
|
|
middlewares:
|
|
min_security:
|
|
chain:
|
|
middlewares:
|
|
- security_headers
|
|
{% if ingress_whitelist is defined %}
|
|
- traefik-ipwhitelist
|
|
{% endif %}
|
|
- rate-limit
|
|
- compress
|
|
{% if false %}
|
|
{% if basic_auth|bool %}
|
|
- basic-auth
|
|
{% endif %}
|
|
- authelia
|
|
{% endif %}
|
|
compress:
|
|
compress:
|
|
excludedContentTypes: ["text/event-stream"]
|
|
rate-limit:
|
|
rateLimit:
|
|
average: 100
|
|
burst: 50
|
|
security_headers:
|
|
headers:
|
|
accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
|
|
# accessControlAllowOrigin: "origin-list-or-null"
|
|
accessControlMaxAge: 100
|
|
addVaryHeader: true
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
referrerPolicy: "same-origin"
|
|
# permissionsPolicy: "vibrate 'self'"
|
|
permissionsPolicy: "camera 'none'; microphone 'none'; geolocation 'none'; payment 'none';"
|
|
stsSeconds: 315360000
|
|
# contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
|
|
# customResponseHeaders:
|
|
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
|
|
# server: ""
|
|
hostsProxyHeaders:
|
|
- "X-Forwarded-Host"
|
|
{% if ingress_whitelist is defined %}
|
|
traefik-ipwhitelist:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
{% for acl_whitelist in ingress_whitelist %}
|
|
- {{ acl_whitelist }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if traefik_ondemand is defined %}
|
|
ondemand:
|
|
plugin:
|
|
sablier:
|
|
#group: default
|
|
dynamic:
|
|
displayName: Application is starting
|
|
refreshFrequency: 5s
|
|
showDetails: "true"
|
|
theme: hacker-terminal
|
|
sablierUrl: http://sablier:10000
|
|
sessionDuration: 1m
|
|
{% endif %}
|
|
{% if basic_auth|bool %}
|
|
basic-auth:
|
|
basicAuth:
|
|
removeHeader: true
|
|
usersFile: "/etc/traefik/basic-auth/basic_auth"
|
|
# users:
|
|
# - {{ basic_auth_data }}
|
|
{% endif %}
|
|
authelia:
|
|
forwardAuth:
|
|
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- "Remote-User"
|
|
- "Remote-Groups"
|
|
- "Remote-Name"
|
|
- "Remote-Email"
|
|
authelia-basic:
|
|
forwardAuth:
|
|
address: "http://authelia:9091/api/verify?auth=basic"
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- "Remote-User"
|
|
- "Remote-Groups"
|
|
- "Remote-Name"
|
|
- "Remote-Email"
|
|
crowdsec-bouncer:
|
|
forwardAuth:
|
|
address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth"
|
|
trustForwardHeader: true
|
|
|
|
traefik-servers-transport.yaml: |
|
|
http:
|
|
serversTransports:
|
|
skip-verify-https-backend:
|
|
insecureSkipVerify: true
|
|
|
|
traefik-tls-defaults-options.yaml: |
|
|
tls:
|
|
options:
|
|
default:
|
|
sniStrict: true
|
|
minVersion: VersionTLS12
|
|
curvePreferences:
|
|
- CurveP521
|
|
- CurveP384
|
|
cipherSuites:
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
alpnProtocols:
|
|
- h2
|
|
- http/1.1
|
|
{% if false %}
|
|
stores:
|
|
default:
|
|
defaultCertificate:
|
|
certFile: path/to/wildcardcert.crt
|
|
keyFile: path/to/wildcardcert.key
|
|
|
|
certificates:
|
|
- certFile: /path/to/domain.cert
|
|
keyFile: /path/to/domain.key
|
|
- certFile: /path/to/other-domain.cert
|
|
keyFile: /path/to/other-domain.key
|
|
{% endif %}
|
|
|
|
# dashboard.yaml: |
|
|
# http:
|
|
# routers:
|
|
# traefik:
|
|
# rule: "Host(`traefik.{{ domain | lower }}`)"
|
|
# entryPoints:
|
|
# - "websecure"
|
|
# middlewares:
|
|
# - "min_security@file"
|
|
#{% if basic_auth|bool %}
|
|
# - "basic-auth@file"
|
|
#{% endif %}
|
|
# service: "api@internal"
|