# Traefik Dynamic Configuration for External Services # This file handles routing to services NOT managed by Docker Swarm http: #----------------------------------------------------------------------------------- # EXTERNAL SERVICES SECTION #----------------------------------------------------------------------------------- services: unraid: loadBalancer: servers: - url: "http://10.0.4.10:80" # emby: # loadBalancer: # servers: # - url: "http://10.0.4.10:8096" # peertube: # loadBalancer: # servers: # - url: "http://10.0.4.10:9000" #----------------------------------------------------------------------------------- # ROUTERS SECTION #----------------------------------------------------------------------------------- routers: # Local VPN-only services (*.swarm.home) unraid-local: rule: "Host(`unraid.swarm.home`)" entryPoints: - web - websecure service: unraid tls: {} # peertube: # rule: "Host(`videos.frostlabs.me`)" # entryPoints: # - websecure # service: peertube # tls: # certResolver: cloudflare #----------------------------------------------------------------------------------- # MIDDLEWARES SECTION #----------------------------------------------------------------------------------- middlewares: # Authentik forward auth for protecting services authentik: forwardAuth: address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-email - X-authentik-name - X-authentik-uid # Security headers for public-facing services security-headers: headers: frameDeny: true browserXssFilter: true contentTypeNosniff: true sslRedirect: true forceSTSHeader: true stsSeconds: 31536000 stsIncludeSubdomains: true stsPreload: true # Rate limiting for public services rate-limit: rateLimit: average: 100 period: 1s burst: 50