dd8c426faa
updated the crowdsec-bouncer-traefik-plugin to v1.4.2 added default crowdsecAppsecBodyLimit value for bigger files
109 lines
No EOL
4.2 KiB
YAML
109 lines
No EOL
4.2 KiB
YAML
http:
|
|
middlewares:
|
|
redirect-to-https:
|
|
redirectScheme:
|
|
scheme: https
|
|
default-whitelist: # Whitelist middleware for internal IPs
|
|
ipWhiteList: # Internal IP addresses
|
|
sourceRange: # Internal IP addresses
|
|
- "10.0.0.0/8" # Internal IP addresses
|
|
- "192.168.0.0/16" # Internal IP addresses
|
|
- "172.16.0.0/12" # Internal IP addresses
|
|
# Basic security headers
|
|
security-headers:
|
|
headers:
|
|
customResponseHeaders: # Custom response headers
|
|
Server: "" # Remove server header
|
|
X-Powered-By: "" # Remove powered by header
|
|
X-Forwarded-Proto: "https" # Set forwarded proto to https
|
|
sslProxyHeaders: # SSL proxy headers
|
|
X-Forwarded-Proto: "https" # Set forwarded proto to https
|
|
hostsProxyHeaders: # Hosts proxy headers
|
|
- "X-Forwarded-Host" # Set forwarded host
|
|
contentTypeNosniff: true # Prevent MIME sniffing
|
|
customFrameOptionsValue: "SAMEORIGIN" # Set frame options
|
|
referrerPolicy: "strict-origin-when-cross-origin" # Set referrer policy
|
|
forceSTSHeader: true # Force STS header
|
|
stsIncludeSubdomains: true # Include subdomains
|
|
stsSeconds: 63072000 # STS seconds
|
|
stsPreload: true # Preload STS
|
|
# CrowdSec configuration with proper IP forwarding
|
|
crowdsec:
|
|
plugin:
|
|
crowdsec:
|
|
enabled: true # Enable CrowdSec plugin
|
|
logLevel: INFO # Log level
|
|
updateIntervalSeconds: 15 # Update interval
|
|
updateMaxFailure: 0 # Update max failure
|
|
defaultDecisionSeconds: 15 # Default decision seconds
|
|
httpTimeoutSeconds: 10 # HTTP timeout
|
|
crowdsecMode: live # CrowdSec mode
|
|
crowdsecAppsecEnabled: true # Enable AppSec
|
|
crowdsecAppsecHost: crowdsec:7422 # CrowdSec IP address which you noted down later
|
|
crowdsecAppsecFailureBlock: true # Block on failure
|
|
crowdsecAppsecUnreachableBlock: true # Block on unreachable
|
|
crowdsecAppsecBodyLimit: 10485760
|
|
crowdsecLapiKey: "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK" # CrowdSec API key which you noted down later
|
|
crowdsecLapiHost: crowdsec:8080 # CrowdSec
|
|
crowdsecLapiScheme: http # CrowdSec API scheme
|
|
forwardedHeadersTrustedIPs: # Forwarded headers trusted IPs
|
|
- "0.0.0.0/0" # All IP addresses are trusted for forwarded headers (CHANGE MADE HERE)
|
|
clientTrustedIPs: # Client trusted IPs (CHANGE MADE HERE)
|
|
- "10.0.0.0/8" # Internal LAN IP addresses
|
|
- "172.16.0.0/12" # Internal LAN IP addresses
|
|
- "192.168.0.0/16" # Internal LAN IP addresses
|
|
- "100.89.137.0/20" # Internal LAN IP addresses
|
|
|
|
routers:
|
|
# HTTP to HTTPS redirect router
|
|
main-app-router-redirect:
|
|
rule: "Host(`{{.DashboardDomain}}`)" # Dynamic Domain Name
|
|
service: next-service
|
|
entryPoints:
|
|
- web
|
|
middlewares:
|
|
- redirect-to-https
|
|
|
|
# Next.js router (handles everything except API and WebSocket paths)
|
|
next-router:
|
|
rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)" # Dynamic Domain Name
|
|
service: next-service
|
|
entryPoints:
|
|
- websecure
|
|
middlewares:
|
|
- security-headers # Add security headers middleware
|
|
tls:
|
|
certResolver: letsencrypt
|
|
|
|
# API router (handles /api/v1 paths)
|
|
api-router:
|
|
rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)" # Dynamic Domain Name
|
|
service: api-service
|
|
entryPoints:
|
|
- websecure
|
|
middlewares:
|
|
- security-headers # Add security headers middleware
|
|
tls:
|
|
certResolver: letsencrypt
|
|
|
|
# WebSocket router
|
|
ws-router:
|
|
rule: "Host(`{{.DashboardDomain}}`)" # Dynamic Domain Name
|
|
service: api-service
|
|
entryPoints:
|
|
- websecure
|
|
middlewares:
|
|
- security-headers # Add security headers middleware
|
|
tls:
|
|
certResolver: letsencrypt
|
|
|
|
services:
|
|
next-service:
|
|
loadBalancer:
|
|
servers:
|
|
- url: "http://pangolin:3002" # Next.js server
|
|
|
|
api-service:
|
|
loadBalancer:
|
|
servers:
|
|
- url: "http://pangolin:3000" # API/WebSocket server |