Adrien Reslinger
6def4562ad
All checks were successful
continuous-integration/drone/push Build is passing
114 lines
3.4 KiB
Django/Jinja
114 lines
3.4 KiB
Django/Jinja
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: traefik-files
|
|
data:
|
|
traefik-middlewares.yaml: |
|
|
http:
|
|
middlewares:
|
|
min_security:
|
|
chain:
|
|
middlewares:
|
|
- security_headers
|
|
{% if ingress_whitelist is defined %}
|
|
- traefik-ipwhitelist
|
|
{% endif %}
|
|
- rate-limit
|
|
- compress
|
|
{% if basic_auth|bool %}
|
|
- basic-auth
|
|
{% endif %}
|
|
- authelia
|
|
compress:
|
|
compress:
|
|
excludedContentTypes: ["text/event-stream"]
|
|
rate-limit:
|
|
rateLimit:
|
|
average: 100
|
|
burst: 50
|
|
security_headers:
|
|
headers:
|
|
# accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
|
|
# accessControlAllowOrigin: "origin-list-or-null"
|
|
# accessControlMaxAge: 100
|
|
# addVaryHeader: true
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
referrerPolicy: "same-origin"
|
|
permissionsPolicy: "vibrate 'self'"
|
|
stsSeconds: 315360000
|
|
contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
|
|
# customResponseHeaders:
|
|
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
|
|
# server: ""
|
|
{% if ingress_whitelist is defined %}
|
|
traefik-ipwhitelist:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
{% for acl_whitelist in ingress_whitelist %}
|
|
- {{ acl_whitelist }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if basic_auth|bool %}
|
|
basic-auth:
|
|
basicAuth:
|
|
removeHeader: true
|
|
usersFile: "/etc/traefik/basic-auth/basic_auth"
|
|
# users:
|
|
# - {{ basic_auth_data }}
|
|
{% endif %}
|
|
authelia:
|
|
forwardAuth:
|
|
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- "Remote-User"
|
|
- "Remote-Groups"
|
|
- "Remote-Name"
|
|
- "Remote-Email"
|
|
authelia-basic:
|
|
forwardAuth:
|
|
address: "http://authelia:9091/api/verify?auth=basic"
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- "Remote-User"
|
|
- "Remote-Groups"
|
|
- "Remote-Name"
|
|
- "Remote-Email"
|
|
crowdsec-bouncer:
|
|
forwardAuth:
|
|
address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth"
|
|
trustForwardHeader: true
|
|
|
|
traefik-tls-defaults-options.yaml: |
|
|
tls:
|
|
options:
|
|
default:
|
|
sniStrict: true
|
|
minVersion: VersionTLS12
|
|
curvePreferences:
|
|
- CurveP521
|
|
- CurveP384
|
|
cipherSuites:
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
{% if false %}
|
|
stores:
|
|
default:
|
|
defaultCertificate:
|
|
certFile: path/to/wildcardcert.crt
|
|
keyFile: path/to/wildcardcert.key
|
|
|
|
certificates:
|
|
- certFile: /path/to/domain.cert
|
|
keyFile: /path/to/domain.key
|
|
- certFile: /path/to/other-domain.cert
|
|
keyFile: /path/to/other-domain.key
|
|
{% endif %}
|