(traefik) config.yml

http:
  routers:
    catchall:
      rule: "HostRegexp(`{host:.+}`)"
      priority: 1
      service: catchall
      middlewares:
        - redirectregex
  services:
    catchall:
      loadBalancer:
        servers:
          - url: "http://catchall"
  middlewares:
    external:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 63072000
        customResponseHeaders:
          X-Robots-Tag: none,noarchive,nosnippet,notranslate,noimageindex,
          Permissions-Policy: geolocation=(self), microphone=(), camera=(), payment=(), usb=(), vr=()
        referrerPolicy: same-origin
    internal:
      ipWhiteList:
        sourceRange:
          - 10.0.0.0/8
          - 192.168.0.0/16
          - 172.16.0.0/12
    redirectregex:
      redirectregex:
        regex: "^https?://[^/]+/(.*)"
        replacement: "https://{{env "TRAEFIK_DOMAIN"}}/${1}"
    auth:
      basicAuth:
        users:
          - 'xx:xxx' # generate using for example https://www.web2generators.com/apache-tools/htpasswd-generator
tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    mintls13:
      minVersion: VersionTLS13