http: middlewares: crowdsec-bouncer: forwardauth: address: http://bouncer-traefik:8080/api/v1/forwardAuth trustForwardHeader: true shuul-auth: forwardAuth: address: http://shuul:3000/api/v1/shuul default: chain: middlewares: - default-security-headers - gzip gzip: compress: {} default-security-headers: headers: browserXssFilter: true # X-XSS-Protection=1; mode=block contentTypeNosniff: true # X-Content-Type-Options=nosniff forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP #frameDeny: true # X-Frame-Options=deny referrerPolicy: "strict-origin-when-cross-origin" sslRedirect: true # Allow only https requests stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header stsPreload: true # Add preload flag appended to the Strict-Transport-Security header stsSeconds: 63072000 secure-headers: headers: # Connection: "keep-alive, Upgrade" # X-Forwarded-Proto: "https, http, ws, wss" # Upgrade: "WebSocket" STSSeconds: "31536000" STSIncludeSubdomains: "true" STSPreload: "true" customRequestHeaders: Connection: "keep-alive, Upgrade" X-Forwarded-Host: "" X-Forwarded-Proto: "https, http, ws, wss" customResponseHeaders: Connection: "keep-alive, Upgrade" X-Forwarded-Host: "" X-Forwarded-Proto: "https, http, ws, wss" Upgrade: "WebSocket" frameDeny: true contentTypeNosniff: true browserXssFilter: true #referrerPolicy: "same-origin" my-geoblock: plugin: geoblock: silentStartUp: false allowLocalRequests: true logLocalRequests: false logAllowedRequests: false logApiRequests: true api: "https://get.geojs.io/v1/ip/country/{ip}" apiTimeoutMs: 750 # optional cacheSize: 15 forceMonthlyUpdate: true allowUnknownCountries: false unknownCountryApiResponse: "nil" blackListMode: false countries: - ES my-torblock: plugin: torblock: enabled: true my-traefik-real-ip: plugin: traefik-real-ip: excludednets: - "1.1.1.1/24" oidc-auth: plugin: traefik-oidc-auth: Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Provider: ClientId: XXXXXXXx-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX ClientSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX Url: https://pocketid.tuservidor.es/ TokenValidation: IdToken Scopes: - openid - profile - email my-sablier: plugin: sablier: group: default dynamic: displayName: Servidor Linux refreshFrequency: 5s showDetails: "true" theme: hacker-terminal sablierUrl: http://sablier:10000 sessionDuration: 1m htransformation: plugin: htransformation: Rules: - Rule: Name: 'X-Client-Port Set' Header: 'X-Client-Port' Value: '^X-Forwarded-Port' HeaderPrefix: "^" Type: 'Set' my-fail2ban: plugin: fail2ban: loglevel: "INFO" denylist: ip: - 192.168.0.0/24 rules: urlregexps: - regexp: "/whoami" mode: allow - regexp: "/do-not-access" mode: block - regexp: "/no" mode: block - regexp: "/yes" mode: allow bantime: "3h" findtime: "10m" maxretry: 4 enabled: true statuscode: "400,401,403-499" allowlist: ip: - ::1 - 127.0.0.1