62 lines
1.6 KiB
YAML
62 lines
1.6 KiB
YAML
# Core middlewares for traefik
|
|
# External service routers should be added as separate files or via docker labels
|
|
|
|
http:
|
|
routers:
|
|
# Redirect HTTP to HTTPS
|
|
https-redirect:
|
|
entryPoints:
|
|
- http
|
|
rule: "HostRegexp(`{host:.+}`)"
|
|
service: noop@internal
|
|
middlewares:
|
|
- redirect-to-https
|
|
priority: 1
|
|
|
|
middlewares:
|
|
# HTTPS redirect
|
|
redirect-to-https:
|
|
redirectScheme:
|
|
scheme: https
|
|
|
|
# Authentik forward auth - update URL after authentik is deployed
|
|
auth:
|
|
forwardAuth:
|
|
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- X-authentik-username
|
|
- X-authentik-groups
|
|
- X-authentik-email
|
|
- X-authentik-name
|
|
- X-authentik-uid
|
|
- X-authentik-jwt
|
|
- X-authentik-meta-jwks
|
|
- X-authentik-meta-outpost
|
|
- X-authentik-meta-provider
|
|
- X-authentik-meta-app
|
|
- X-authentik-meta-version
|
|
|
|
# Security headers
|
|
securityHeaders:
|
|
headers:
|
|
customResponseHeaders:
|
|
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
|
|
server: ""
|
|
X-Forwarded-Proto: "https"
|
|
sslProxyHeaders:
|
|
X-Forwarded-Proto: https
|
|
referrerPolicy: "same-origin"
|
|
hostsProxyHeaders:
|
|
- "X-Forwarded-Host"
|
|
contentTypeNosniff: true
|
|
browserXssFilter: true
|
|
forceSTSHeader: true
|
|
stsIncludeSubdomains: true
|
|
stsSeconds: 63072000
|
|
stsPreload: true
|
|
|
|
# Gzip compression
|
|
gzip:
|
|
compress: {}
|