164 lines
3.6 KiB
YAML
164 lines
3.6 KiB
YAML
global:
|
|
checkNewVersion: false
|
|
sendAnonymousUsage: false
|
|
|
|
api:
|
|
dashboard: true
|
|
debug: false
|
|
# Secure the API
|
|
insecure: false
|
|
|
|
ping:
|
|
entryPoint: "ping"
|
|
|
|
log:
|
|
level: INFO
|
|
filePath: /var/log/traefik/traefik.log
|
|
format: json
|
|
|
|
accessLog:
|
|
filePath: /var/log/traefik/access.log
|
|
format: json
|
|
bufferingSize: 100
|
|
filters:
|
|
statusCodes:
|
|
- "200-299" # Success
|
|
- "300-399" # Redirects
|
|
- "400-599" # Errors
|
|
retryAttempts: true
|
|
minDuration: 10ms
|
|
fields:
|
|
headers:
|
|
defaultMode: keep
|
|
names:
|
|
User-Agent: keep
|
|
Authorization: drop
|
|
Cookie: drop
|
|
X-Forwarded-For: keep
|
|
X-Real-Ip: keep
|
|
|
|
entryPoints:
|
|
# HTTP - Redirect to HTTPS
|
|
web:
|
|
address: ":80"
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
permanent: true
|
|
priority: 100
|
|
|
|
# HTTPS External (Cloudflare)
|
|
websecure:
|
|
address: ":443"
|
|
http:
|
|
tls:
|
|
certResolver: letsencrypt
|
|
domains:
|
|
- main: "lemonlink.eu"
|
|
sans:
|
|
- "*.lemonlink.eu"
|
|
middlewares:
|
|
# - crowdsec-bouncer@file # Enable when using CrowdSec bouncer
|
|
- security-headers@file
|
|
- rate-limit@file
|
|
forwardedHeaders:
|
|
trustedIPs:
|
|
# Cloudflare IPs - Keep updated!
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
# IPv6
|
|
- "2400:cb00::/32"
|
|
- "2606:4700::/32"
|
|
- "2803:f800::/32"
|
|
- "2405:b500::/32"
|
|
- "2405:8100::/32"
|
|
- "2a06:98c0::/29"
|
|
- "2c0f:f248::/32"
|
|
proxyProtocol:
|
|
trustedIPs:
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
|
|
# Internal EntryPoint (Tailscale/VPN only)
|
|
internal:
|
|
address: ":8443" # Use non-standard port, map via Tailscale
|
|
http:
|
|
tls:
|
|
certResolver: letsencrypt
|
|
domains:
|
|
- main: "local.lemonlink.eu"
|
|
sans:
|
|
- "*.local.lemonlink.eu"
|
|
middlewares:
|
|
- security-headers@file
|
|
- rate-limit-internal@file
|
|
|
|
# Health check
|
|
ping:
|
|
address: ":8082"
|
|
|
|
providers:
|
|
docker:
|
|
exposedByDefault: false
|
|
network: services
|
|
watch: true
|
|
file:
|
|
directory: /dynamic
|
|
watch: true
|
|
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: ${CF_API_EMAIL}
|
|
storage: /letsencrypt/acme.json
|
|
tlsChallenge: {}
|
|
# Use DNS challenge for wildcard certificates
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
delayBeforeCheck: 10
|
|
resolvers:
|
|
- "1.1.1.1:53"
|
|
- "8.8.8.8:53"
|
|
|
|
# Staging resolver for testing
|
|
letsencrypt-staging:
|
|
acme:
|
|
email: ${CF_API_EMAIL}
|
|
storage: /letsencrypt/acme-staging.json
|
|
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
tlsChallenge: {}
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
delayBeforeCheck: 10
|
|
|
|
serversTransport:
|
|
insecureSkipVerify: false
|