LemonSec/traefik/traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false

api:
  dashboard: true
  debug: false
  # Secure the API
  insecure: false

ping:
  entryPoint: "ping"

log:
  level: INFO
  filePath: /var/log/traefik/traefik.log
  format: json

accessLog:
  filePath: /var/log/traefik/access.log
  format: json
  bufferingSize: 100
  filters:
    statusCodes:
      - "200-299"  # Success
      - "300-399"  # Redirects
      - "400-599"  # Errors
    retryAttempts: true
    minDuration: 10ms
  fields:
    headers:
      defaultMode: keep
      names:
        User-Agent: keep
        Authorization: drop
        Cookie: drop
        X-Forwarded-For: keep
        X-Real-Ip: keep

entryPoints:
  # HTTP - Redirect to HTTPS
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
          priority: 100

  # HTTPS External (Cloudflare)
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: "lemonlink.eu"
            sans:
              - "*.lemonlink.eu"
      middlewares:
        - crowdsec-bouncer@file
        - security-headers@file
        - rate-limit@file
    forwardedHeaders:
      trustedIPs:
        # Cloudflare IPs - Keep updated!
        - "173.245.48.0/20"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "141.101.64.0/18"
        - "108.162.192.0/18"
        - "190.93.240.0/20"
        - "188.114.96.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
        - "162.158.0.0/15"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "172.64.0.0/13"
        - "131.0.72.0/22"
        # IPv6
        - "2400:cb00::/32"
        - "2606:4700::/32"
        - "2803:f800::/32"
        - "2405:b500::/32"
        - "2405:8100::/32"
        - "2a06:98c0::/29"
        - "2c0f:f248::/32"
    proxyProtocol:
      trustedIPs:
        - "173.245.48.0/20"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "141.101.64.0/18"
        - "108.162.192.0/18"
        - "190.93.240.0/20"
        - "188.114.96.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
        - "162.158.0.0/15"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "172.64.0.0/13"
        - "131.0.72.0/22"

  # Internal EntryPoint (Tailscale/VPN only)
  internal:
    address: ":8443"  # Use non-standard port, map via Tailscale
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: "local.lemonlink.eu"
            sans:
              - "*.local.lemonlink.eu"
      middlewares:
        - security-headers@file
        - rate-limit-internal@file

  # Health check
  ping:
    address: ":8082"

providers:
  docker:
    exposedByDefault: false
    network: services
    watch: true
  file:
    directory: /dynamic
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: ${CF_API_EMAIL}
      storage: /letsencrypt/acme.json
      tlsChallenge: {}
      # Use DNS challenge for wildcard certificates
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

  # Staging resolver for testing
  letsencrypt-staging:
    acme:
      email: ${CF_API_EMAIL}
      storage: /letsencrypt/acme-staging.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      tlsChallenge: {}
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10

serversTransport:
  insecureSkipVerify: false