http: ## EXTERNAL ROUTING - Only use if you want to proxy something manuall

1. http:
2.  
3. ## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
4. routers:
5. # Homeassistant routing - Remove if not used
6. homeassistant:
7. entryPoints:
8. - https
9. rule: 'Host(`homeassistant.ramuska.com`)'
10. service: homeassistant
11. middlewares:
12. - auth
13. ## SERVICES ##
14. services:
15. # Homeassistant service - Remove if not used
16. homeassistant:
17. loadBalancer:
18. servers:
19. - url: http://192.168.1.2:8123
20. ## MIDDLEWARES ##
21. middlewares:
22. https-redirect:
23. redirectScheme:
24. scheme: https
25. permanent: true
26.  
27. crowdsec-bouncer:
28. forwardauth:
29. address: http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
30. trustForwardHeader: true
31.  
32. # Only Allow Local networks
33. local-ipwhitelist:
34. ipWhiteList:
35. sourceRange:
36. - 127.0.0.1/32 # localhost
37. - 192.168.1.1/24 # LAN Subnet
38.  
39. # Authelia guard
40. auth:
41. forwardauth:
42. address: http://authelia:9091/api/verify?rd=https://authelia.ramuska.com/ # replace auth with your authelia container name
43. trustForwardHeader: true
44. authResponseHeaders:
45. - Remote-User
46. - Remote-Groups
47. - Remote-Name
48. - Remote-Email
49.  
50. # Authelia basic auth guard
51. auth-basic:
52. forwardauth:
53. address: http://authelia:9091/api/verify?auth=basic # replace auth with your authelia container name
54. trustForwardHeader: true
55. authResponseHeaders:
56. - Remote-User
57. - Remote-Groups
58. - Remote-Name
59. - Remote-Email
60.  
61. # Security headers
62. securityHeaders:
63. headers:
64. customResponseHeaders:
65. X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
66. X-Forwarded-Proto: "https"
67. server: ""
68. customRequestHeaders:
69. X-Forwarded-Proto: "https"
70. sslProxyHeaders:
71. X-Forwarded-Proto: "https"
72. referrerPolicy: "same-origin"
73. hostsProxyHeaders:
74. - "X-Forwarded-Host"
75. contentTypeNosniff: true
76. browserXssFilter: true
77. forceSTSHeader: true
78. stsIncludeSubdomains: true
79. stsSeconds: 63072000
80. stsPreload: true
81. ### Let's give them a new name so it won't conflict with others
82. nextcloud-middlewares-secure-headers:
83. headers:
84. hostsProxyHeaders:
85. - "X-Forwarded-Host"
86. accessControlMaxAge: 100
87. stsSeconds: 63072000
88. stsIncludeSubdomains: true
89. stsPreload: true
90. forceSTSHeader: true
91. ### We will modify this value for Nextcloud to remove the X-Frame-Options error:
92. customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
93. contentTypeNosniff: true
94. browserXssFilter: true
95. # sslForceHost: true # add sslHost to all of the services
96. # sslHost: "example.com"
97. referrerPolicy: "same-origin"
98. customResponseHeaders:
99. ### Change this to none to remove the Robots error:
100. X-Robots-Tag: "noindex,nofollow"
101.  
102. ### This section redirects requests for Nextcloud calendar and contacts service discovery
103. ### source: https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery
104. nextcloud-redirect:
105. redirectRegex:
106. permanent: true
107. regex: "https://(.*)/.well-known/(card|cal)dav"
108. replacement: "https://${1}/remote.php/dav/"
109.  
110. chain-nextcloud:
111. chain:
112. middlewares:
113. - nextcloud-middlewares-secure-headers
114. - nextcloud-redirect
115. # Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
116. tls:
117. options:
118. default:
119. minVersion: VersionTLS12
120. cipherSuites:
121. - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
122. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
123. - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
124. - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
125. - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
126. - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
127.