http: routers: # Router for Gogs (if it's running outside Docker or on different network) # Disabled - now using Gitea with Docker labels # gogs: # rule: "Host(`git.pkartchner.com`)" # entryPoints: # - https # service: gogs # middlewares: # - geoblock # - secure-headers # - crowdsec-bouncer # tls: # certResolver: letsencrypt services: # Service for Gogs # Disabled - now using Gitea with Docker labels # gogs: # loadBalancer: # servers: # - url: "http://gogs.pkartchner.com:3000" middlewares: # Security headers secure-headers: headers: forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 customFrameOptionsValue: "SAMEORIGIN" contentTypeNosniff: true browserXssFilter: true referrerPolicy: "same-origin" # IP whitelist for internal network access only internal-whitelist: ipWhiteList: sourceRange: - "10.20.10.0/24" - "10.20.140.0/24" - "127.0.0.1/32" # Crowdsec bouncer middleware crowdsec-bouncer: plugin: bouncer: enabled: true crowdsecMode: live crowdsecLapiKey: zQB3/JX6G+wxzYf4TvpMkmFLhSODYnfRhSkh8+y4+Zo crowdsecLapiHost: crowdsec:8080 crowdsecLapiScheme: http forwardedHeadersCustomName: X-Custom-Header # GeoIP blocking - Allow only US traffic geoblock: plugin: geoblock: silentStartUp: false allowLocalRequests: true logLocalRequests: false logAllowedRequests: true logApiRequests: true api: https://get.geojs.io/v1/ip/country/{ip} apiTimeoutMs: 750 cacheSize: 25 forceMonthlyUpdate: true allowUnknownCountries: false unknownCountryApiResponse: nil countries: - US # Rate limiting for Harbor - Prevent brute force attacks harbor-ratelimit: rateLimit: average: 100 burst: 50 period: 1m