infrastructure/ansible/plays/services/traefik/dynamic.yaml

http:
  middlewares:
    metrics-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.0.0/16"
          - "172.16.0.0/16"
          - "10.254.1.0/16"
    vpn-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "10.1.0.0/24" # vpn
          - "10.2.0.0/24" # vpn
          - "127.0.0.1/32" # or local nets used by deployments
          - "192.168.0.0/16"
          - "172.16.0.0/16"
          - "10.254.1.0/16"
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: tobiasmanske.de
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://traefik-fa.tobiasmanske.de/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth@docker
        query: "/oauth2/sign_in"
    oauth:
      chain:
        middlewares:
          - oauth-errors
          - oauth-auth
    deny-metrics:
      replacePathRegex:
        regex: "^/metrics$"
        replacement: "/"
    hsts:
      headers:
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        sslRedirect: true
        stsPreload: true
        stsSeconds: 315360000
        stsIncludeSubdomains: true
Add Traefik-Forward-Auth Proxy 2022-10-01 15:34:55 +02:00			`http:`
			`middlewares:`
Traefik: Move to host mode 2023-08-10 14:16:30 +02:00			`metrics-ipwhitelist:`
			`ipWhiteList:`
			`sourceRange:`
			`- "127.0.0.1/32"`
			`- "192.168.0.0/16"`
			`- "172.16.0.0/16"`
Traefik: add vpn whitelist 2024-02-01 01:08:03 +01:00			`- "10.254.1.0/16"`
			`vpn-ipwhitelist:`
			`ipWhiteList:`
			`sourceRange:`
Add 2nd vpn ip range 2024-02-03 00:10:19 +01:00			`- "10.1.0.0/24" # vpn`
Traefik: add vpn whitelist 2024-02-01 01:08:03 +01:00			`- "10.2.0.0/24" # vpn`
			`- "127.0.0.1/32" # or local nets used by deployments`
			`- "192.168.0.0/16"`
			`- "172.16.0.0/16"`
Add external monitoring network 2023-08-10 16:29:52 +02:00			`- "10.254.1.0/16"`
Switch to oauth2-proxy 2023-04-09 22:08:47 +02:00			`auth-headers:`
			`headers:`
			`sslRedirect: true`
			`stsSeconds: 315360000`
			`browserXssFilter: true`
			`contentTypeNosniff: true`
			`forceSTSHeader: true`
			`sslHost: tobiasmanske.de`
			`stsIncludeSubdomains: true`
			`stsPreload: true`
			`frameDeny: true`
			`oauth-auth:`
Add Traefik-Forward-Auth Proxy 2022-10-01 15:34:55 +02:00			`forwardAuth:`
Switch to oauth2-proxy 2023-04-09 22:08:47 +02:00			`address: https://traefik-fa.tobiasmanske.de/oauth2/auth`
			`trustForwardHeader: true`
			`oauth-errors:`
			`errors:`
			`status:`
			`- "401-403"`
			`service: oauth@docker`
			`query: "/oauth2/sign_in"`
			`oauth:`
			`chain:`
			`middlewares:`
			`- oauth-errors`
			`- oauth-auth`
Block external access to /metrics endpoint by regex replace 2023-04-09 22:10:16 +02:00			`deny-metrics:`
			`replacePathRegex:`
			`regex: "^/metrics$"`
			`replacement: "/"`
Traefik: HSTS 2023-09-25 22:34:28 +02:00			`hsts:`
			`headers:`
			`contentTypeNosniff: true`
			`browserXssFilter: true`
			`forceSTSHeader: true`
			`sslRedirect: true`
			`stsPreload: true`
			`stsSeconds: 315360000`
			`stsIncludeSubdomains: true`