# Core middlewares for traefik
# External service routers should be added as separate files or via docker labels

http:
  routers:
    # Redirect HTTP to HTTPS
    https-redirect:
      entryPoints:
        - http
      rule: "HostRegexp(`{host:.+}`)"
      service: noop@internal
      middlewares:
        - redirect-to-https
      priority: 1

  middlewares:
    # HTTPS redirect
    redirect-to-https:
      redirectScheme:
        scheme: https

    # Authentik forward auth - update URL after authentik is deployed
    auth:
      forwardAuth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

    # Gzip compression
    gzip:
      compress: {}