gitea-docker-compose/traefik.yml at master · practical-engelbart/gitea-docker-compose · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
##### STATIC CONFIG #####
global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  rootCAs:
    - /etc/traefik/ssl/cloudflare.crt
    - /etc/traefik/ssl/rootca.crt

api:
  dashboard: true
  insecure: false

ping:
  entryPoint: "traefik"
  manualRouting: false

metrics:
  prometheus:
    entryPoint: "traefik"
    addEntryPointsLabels: true
    addServicesLabels: true
    manualRouting: false
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0

log:
  level: INFO
  filePath: /etc/traefik/log/traefik.log
  format: json

accessLog:
  filePath: /etc/traefik/log/access.log
  format: json
  fields:
    defaultMode: keep
    names:
      clientUsername: drop
    headers:
      defaultMode: keep
      names:
        User-Agent: keep
        Authorization: drop
        Content-Type: keep

certificatesResolvers:
  letsencrypt:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: edwin@thelyoncompany.com
      storage: /etc/traefik/ssl/acme.json
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10
        resolvers:
          - '1.1.1.1:53'
          - '1.0.0.1:53'

providers:
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":443"
    http:
      middlewares:
        - cf-passtlsclientcert@file
        - secure-header@file
      tls:
        options: default
        certResolver: letsencrypt
        domains:
          - main: "technerdonline.com"
            sans:
              - "*.technerdonline.com"
          - main: "technerdonline.net"
            sans:
              - "*.technerdonline.net"

tls:
  certificates:
  - certFile: /etc/traefik/ssl/cert.pem
    keyFile: /etc/traefik/ssl/key.pem
    stores: default

  - certFile: /etc/traefik/ssl/technerdonline.net.pem
    keyFile: /etc/traefik/ssl/technerdonline.net-key.pem
    stores: technerdonline.net

  options:
    default:
      minVersion: VersionTLS12
      maxVersion: VersionTLS13
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
      preferServerCipherSuites: true
      clientAuth:
        caFiles:
          - /etc/traefik/ssl/cloudflare.crt
        clientAuthType: RequireAndVerifyClientCert

    mintls13:
      minVersion: VersionTLS13
      maxVersion: VersionTLS13
      sniStrict: true
      clientAuth:
        caFiles:
          - /etc/traefik/ssl/cloudflare.crt
        clientAuthType: RequireAndVerifyClientCert

  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/ssl/cert.pem
        keyFile: /etc/traefik/ssl/key.pem

    technerdonline.net:
      defaultCertificate:
        certFile: /etc/traefik/ssl/technerdonline.net.pem
        keyFile: /etc/traefik/ssl/technerdonline.net-key.pem