129 lines
3.5 KiB
YAML
129 lines
3.5 KiB
YAML
---
|
|
# Traefik static config options
|
|
# Only loaded on startup!
|
|
|
|
global:
|
|
sendAnonymousUsage: false
|
|
|
|
#serversTransport:
|
|
# insecureSkipVerify: true
|
|
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
websecure:
|
|
address: ":443"
|
|
|
|
providers:
|
|
file:
|
|
filename: "/etc/traefik/traefik.yml"
|
|
docker:
|
|
watch: true
|
|
endpoint: "unix:///var/run/docker.sock"
|
|
exposedByDefault: false
|
|
network: traefik
|
|
|
|
api:
|
|
dashboard: true
|
|
|
|
metrics:
|
|
prometheus: { }
|
|
|
|
ping: { }
|
|
|
|
log:
|
|
level: WARN
|
|
|
|
accessLog:
|
|
filePath: "/data/logs/access.log"
|
|
bufferingSize: 128
|
|
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: "changeme@chaospott.de"
|
|
caServer: "https://acme-v02.api.letsencrypt.org/directory"
|
|
storage: "/data/acme.json"
|
|
keyType: "EC384"
|
|
#httpChallenge:
|
|
# entryPoint: web
|
|
dnsChallenge:
|
|
provider: inwx # more available at: https://doc.traefik.io/traefik/https/acme/#providers
|
|
# Checked by traefik before issuing LE, need to be public DNS server!
|
|
# Quad9
|
|
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
|
|
letsencrypt-staging: # this is for testing new services
|
|
acme:
|
|
email: "changeme@chaospott.de"
|
|
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
storage: "/data/acme-staging.json"
|
|
keyType: "EC384"
|
|
#httpChallenge:
|
|
# entryPoint: web
|
|
dnsChallenge:
|
|
provider: inwx
|
|
# Checked by traefik before issuing LE, need to be public DNS server!
|
|
# Quad9
|
|
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
|
|
|
|
|
|
###
|
|
# Traefik dynamic configuration options
|
|
# File is live-reloaded.
|
|
# Not all dynamic options can be set via labels. This is why some general, dynamic
|
|
# traefik options are configured here instead on labels.
|
|
# See also: https://github.com/traefik/traefik/issues/5507
|
|
|
|
tls:
|
|
options:
|
|
default:
|
|
sniStrict: true
|
|
# # Forced TLS v1.3 still causes issues like renovate failing to check our repos
|
|
# minVersion: "VersionTLS13"
|
|
# # TLS v1.2 Alternative config for more compatibility
|
|
minVersion: "VersionTLS12"
|
|
cipherSuites:
|
|
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
|
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
|
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
|
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
|
|
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
|
|
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
|
|
|
|
# global HTTP config
|
|
http:
|
|
routers:
|
|
api:
|
|
rule: "Host(`traefik.chaospott.de`)"
|
|
service: api@internal
|
|
middlewares: [ "dashboard-auth" ]
|
|
tls:
|
|
certResolver: "letsencrypt"
|
|
# generate cert for main domain and wildcard (requires DNS-01)
|
|
domains:
|
|
- main: "chaospott.de"
|
|
- main: "*.chaospott.de"
|
|
middlewares:
|
|
redirect-to-https:
|
|
redirectScheme:
|
|
scheme: "https"
|
|
hsts-header:
|
|
headers:
|
|
# HSTSPreload is an initiative that forces browsers to only access a website
|
|
# via HTTPS. This implies some requirements. https://hstspreload.org/
|
|
customResponseHeaders:
|
|
frameDeny: true # forbid embedding into frames
|
|
sslRedirect: true
|
|
stsSeconds: 3600 # Must be at least 31536000 (1-year) for HSTSPreload
|
|
stsPreload: true # HSTSPreload requirement
|
|
stsIncludeSubdomains: true # HSTSPreload requirement
|
|
browserXssFilter: true
|
|
dashboard-auth:
|
|
basicauth:
|
|
users: "admin:htpasswd-generated-password"
|