81 lines
2.1 KiB
YAML
81 lines
2.1 KiB
YAML
http:
|
|
routers:
|
|
# Router for Gogs (if it's running outside Docker or on different network)
|
|
# Disabled - now using Gitea with Docker labels
|
|
# gogs:
|
|
# rule: "Host(`git.pkartchner.com`)"
|
|
# entryPoints:
|
|
# - https
|
|
# service: gogs
|
|
# middlewares:
|
|
# - geoblock
|
|
# - secure-headers
|
|
# - crowdsec-bouncer
|
|
# tls:
|
|
# certResolver: letsencrypt
|
|
|
|
services:
|
|
# Service for Gogs
|
|
# Disabled - now using Gitea with Docker labels
|
|
# gogs:
|
|
# loadBalancer:
|
|
# servers:
|
|
# - url: "http://gogs.pkartchner.com:3000"
|
|
|
|
middlewares:
|
|
# Security headers
|
|
secure-headers:
|
|
headers:
|
|
forceSTSHeader: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 31536000
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
contentTypeNosniff: true
|
|
browserXssFilter: true
|
|
referrerPolicy: "same-origin"
|
|
|
|
# IP whitelist for internal network access only
|
|
internal-whitelist:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
- "10.20.10.0/24"
|
|
- "10.20.140.0/24"
|
|
- "127.0.0.1/32"
|
|
|
|
# Crowdsec bouncer middleware
|
|
crowdsec-bouncer:
|
|
plugin:
|
|
bouncer:
|
|
enabled: true
|
|
crowdsecMode: live
|
|
crowdsecLapiKey: zQB3/JX6G+wxzYf4TvpMkmFLhSODYnfRhSkh8+y4+Zo
|
|
crowdsecLapiHost: crowdsec:8080
|
|
crowdsecLapiScheme: http
|
|
forwardedHeadersCustomName: X-Custom-Header
|
|
|
|
# GeoIP blocking - Allow only US traffic
|
|
geoblock:
|
|
plugin:
|
|
geoblock:
|
|
silentStartUp: false
|
|
allowLocalRequests: true
|
|
logLocalRequests: false
|
|
logAllowedRequests: true
|
|
logApiRequests: true
|
|
api: https://get.geojs.io/v1/ip/country/{ip}
|
|
apiTimeoutMs: 750
|
|
cacheSize: 25
|
|
forceMonthlyUpdate: true
|
|
allowUnknownCountries: false
|
|
unknownCountryApiResponse: nil
|
|
countries:
|
|
- US
|
|
|
|
# Rate limiting for Harbor - Prevent brute force attacks
|
|
harbor-ratelimit:
|
|
rateLimit:
|
|
average: 100
|
|
burst: 50
|
|
period: 1m
|