Initial commit

traefik-crowdsec-stack/traefik/dynamic_conf.yml

@@ -0,0 +1,91 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true
+http:
+  middlewares:
+    default:
+      chain:
+        middlewares:
+          - default-security-headers
+          - gzip
+
+    default-security-headers:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customFrameOptionsValue: "SAMEORIGIN"
+    gzip:
+      compress: {}
+
+    traefik-crowdsec-bouncer:
+      forwardauth:
+        address: http://traefik-crowdsec-bouncer:8080/api/v1/forwardAuth
+        trustForwardHeader: true
+
+    real-ip-cf:
+      plugin:
+        real-ip:
+          Proxy:
+            - proxyHeadername: "*"
+              realIP: Cf-Connecting-Ip
+              OverwriteXFF: true
+
+    hpnetwork-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "10.1.0.0/24"
+          - "10.6.0.0/24"
+          - "192.168.0.0/24"
+
+  routers:
+    routerasteriskold:
+      rule: "Host(`asterisk.prothmann.com`)"
+      service: asteriskold@file
+      entryPoints: websecure
+      tls:
+        certResolver: http_resolver
+      middlewares:
+        - hpnetwork-whitelist
+
+    routerrspamdold:
+      rule: "Host(`rspamd.prothmann.com`)"
+      service: rspamdold@file
+      entryPoints: websecure
+      tls:
+        certResolver: http_resolver
+      middlewares:
+        - hpnetwork-whitelist
+
+    
+  services:
+    nextcloud:
+      loadBalancer:
+        servers:
+          - url: "http://10.1.0.13:11000"
+    asteriskold:
+      loadBalancer:
+        servers:
+          - url: "http://10.3.0.28:80"
+    rspamdold:
+      loadBalancer:
+        servers:
+          - url: "http://mail.prothmann.com/rspamd/"
+

traefik-crowdsec-stack/traefik/traefik.yml

@@ -0,0 +1,76 @@
+api:
+  dashboard: true
+
+metrics:
+  prometheus:
+    addrouterslabels: true
+
+certificatesResolvers:
+  http_resolver:
+    acme:
+      email: "webmaster@prothmann.com"
+      storage: "acme_letsencrypt.json"
+      httpChallenge:
+        entryPoint: web
+  tls_resolver:
+    acme:
+      tlsChallenge: true
+      email: "webmaster@prothmann.com"
+      storage: "tls_letsencrypt.json"
+entryPoints:
+  ping:
+    address: ":88"
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: "websecure"
+          scheme: "https"
+      middlewares:
+        - traefik-crowdsec-bouncer@file
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - traefik-crowdsec-bouncer@file
+    proxyProtocol:
+      trustedIPs:
+       - 10.0.0.0/8
+       - 172.16.0.0/12
+       - 192.168.0.0/16
+    forwardedHeaders:
+      trustedIPs:
+       - 10.0.0.0/8
+       - 172.16.0.0/12
+       - 192.168.0.0/16
+
+ping:
+  entryPoint: "ping"
+
+global:
+  checknewversion: true
+  sendanonymoususage: false
+
+experimental:
+  plugins:
+    real-ip:
+      moduleName: github.com/Paxxs/traefik-get-real-ip
+      version: "v1.0.2"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: "proxy"
+  file:
+    filename: "./dynamic_conf.yml"
+    watch: true
+  providersThrottleDuration: 10
+
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  bufferingSize: 100