vrr/middleware-manager
2
0
Fork 0
mirror of https://github.com/hhftechnology/middleware-manager.git synced 2026-04-28 03:29:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
middleware-manager/config/templates.yaml
hhftechnologies d194ccd2da remove-IPWhiteList-deprecated
2026-01-21 19:27:23 +05:30

347 lines
No EOL
8.5 KiB
YAML
Raw Blame History

# Default middleware templates
middlewares:
# Authentication middlewares
- id: authelia
name: Authelia
type: forwardAuth
config:
address: "http://authelia:9091/api/authz/forward-auth"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
- id: authentik
name: Authentik
type: forwardAuth
config:
address: "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- "X-authentik-username"
- "X-authentik-groups"
- "X-authentik-email"
- "X-authentik-name"
- "X-authentik-uid"
- id: tinyauth
name: Tiny Auth
type: forwardAuth
config:
address: "http://tinyauth:10000/api/auth/traefik"
- id: basic-auth
name: Basic Auth
type: basicAuth
config:
users:
- "admin:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- id: digest-auth
name: Digest Auth
type: digestAuth
config:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- id: jwt-auth
name: JWT Authentication
type: forwardAuth
config:
address: "http://jwt-auth:8080/verify"
trustForwardHeader: true
authResponseHeaders:
- "X-JWT-Sub"
- "X-JWT-Name"
- "X-JWT-Email"
# Security middlewares
- id: ip-allowlist
name: IP Allow List
type: ipAllowList
config:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.0/24"
- "10.0.0.0/8"
- id: rate-limit
name: Rate Limit
type: rateLimit
config:
average: 100
burst: 50
- id: headers-standard
name: Standard Security Headers
type: headers
config:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
browserXssFilter: true
contentTypeNosniff: true
customFrameOptionsValue: "SAMEORIGIN"
customResponseHeaders:
X-Forwarded-Proto: "https"
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
Server: "" # Empty string to remove Server header
X-Powered-By: "" # Empty string to remove X-Powered-By header
forceSTSHeader: true
hostsProxyHeaders:
- X-Forwarded-Host
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
referrerPolicy: "same-origin"
sslProxyHeaders:
X-Forwarded-Proto: "https"
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 63072000
- id: in-flight-req
name: In-Flight Request Limiter
type: inFlightReq
config:
amount: 10
sourceCriterion:
ipStrategy:
depth: 2
excludedIPs:
- "127.0.0.1/32"
requestHost: true # Added this option shown in the examples
- id: pass-tls-cert
name: Pass TLS Client Certificate
type: passTLSClientCert
config:
pem: true
# Path manipulation middlewares
- id: add-prefix
name: Add Prefix
type: addPrefix
config:
prefix: "/api"
- id: strip-prefix
name: Strip Prefix
type: stripPrefix
config:
prefixes:
- "/api"
- "/v1"
forceSlash: true
- id: replace-path
name: Replace Path
type: replacePath
config:
path: "/foo"
- id: replace-path-regex
name: Replace Path Regex
type: replacePathRegex
config:
regex: "^/foo/(.*)"
replacement: "/bar/$1"
# Redirect middlewares
- id: redirect-regex
name: Redirect Regex
type: redirectRegex
config:
regex: "^http://(.*)$"
replacement: "https://${1}"
permanent: true
- id: redirect-scheme
name: Redirect to HTTPS
type: redirectScheme
config:
scheme: "https"
port: "443"
permanent: true
# Content processing middlewares
- id: compress
name: Compress Response
type: compress
config:
excludedContentTypes:
- text/event-stream
includedContentTypes:
- text/html
- text/plain
- application/json
minResponseBodyBytes: 1024
encodings:
- gzip
- br
- id: buffering
name: Request/Response Buffering
type: buffering
config:
maxRequestBodyBytes: 5000000
memRequestBodyBytes: 2000000
maxResponseBodyBytes: 5000000
memResponseBodyBytes: 2000000
retryExpression: "IsNetworkError() && Attempts() < 2"
- id: content-type
name: Content Type Auto-Detector
type: contentType
config: {}
# Error handling and reliability middlewares
- id: circuit-breaker
name: Circuit Breaker
type: circuitBreaker
config:
expression: "NetworkErrorRatio() > 0.20 || ResponseCodeRatio(500, 600, 0, 600) > 0.25"
checkPeriod: "10s"
fallbackDuration: "30s"
recoveryDuration: "60s"
responseCode: 503
- id: retry
name: Retry Failed Requests
type: retry
config:
attempts: 3
initialInterval: "100ms"
- id: error-pages
name: Custom Error Pages
type: errors
config:
status:
- "500-599"
service: "error-handler-service"
query: "/{status}.html"
- id: grpc-web
name: gRPC Web
type: grpcWeb
config:
allowOrigins:
- "*"
# Special use case middlewares
- id: nextcloud-dav
name: Nextcloud WebDAV Redirect
type: replacePathRegex
config:
regex: "^/.well-known/ca(l|rd)dav"
replacement: "/remote.php/dav/"
# Custom headers example with properly quoted values
- id: custom-headers-example
name: Custom Headers Example
type: headers
config:
customRequestHeaders:
X-Script-Name: "test"
X-Custom-Value: "value with spaces"
X-Custom-Request-Header: "" # Empty string to remove header
customResponseHeaders:
X-Custom-Response-Header: "value"
Server: "" # Empty string to remove Server header
# Plugin middleware templates
- id: "geoblock"
name: "Geoblock"
type: "plugin"
config:
geoblock:
silentStartUp: false
allowLocalRequests: false
logLocalRequests: false
logAllowedRequests: false
logApiRequests: false
api: "https://get.geojs.io/v1/ip/country/{ip}"
apiTimeoutMs: 750
cacheSize: 15
forceMonthlyUpdate: false
allowUnknownCountries: false
unknownCountryApiResponse: "nil"
blackListMode: false
addCountryHeader: false
countries:
- DE
- id: "crowdsec"
name: "Crowdsec"
type: "plugin"
config:
crowdsec:
enabled: true
logLevel: INFO
updateIntervalSeconds: 15
updateMaxFailure: 0
defaultDecisionSeconds: 15
httpTimeoutSeconds: 10
crowdsecMode: live
crowdsecAppsecEnabled: true
crowdsecAppsecHost: "crowdsec:7422"
crowdsecAppsecFailureBlock: true
crowdsecAppsecUnreachableBlock: true
crowdsecAppsecBodyLimit: 10485760 # Using plain number to avoid scientific notation
crowdsecLapiKey: "ENwhi7t7wEaFIn3aZTRbXNdowNDs6Ogr9tK/pzAtNz8" # API key with special chars preserved exactly
crowdsecLapiHost: "crowdsec:8080"
crowdsecLapiScheme: "http"
forwardedHeadersTrustedIPs:
- "0.0.0.0/0"
clientTrustedIPs:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "100.89.137.0/20"
# MCP middlewares
- id: mcp-auth
name: MCP Auth (Forward Authentication)
type: forwardAuth
config:
address: "http://mcpauth:11000/auth"
authResponseHeaders:
- "X-Forwarded-User"
- id: mcp-cors-headers
name: MCP CORS Headers
type: headers
config:
accessControlAllowCredentials: true
accessControlAllowHeaders:
- "Authorization"
- "Content-Type"
- "mcp-protocol-version"
accessControlAllowMethods:
- "GET"
- "POST"
- "OPTIONS"
accessControlAllowOriginList:
- "*"
accessControlMaxAge: 86400
addVaryHeader: true
- id: mcp-redirect-regex
name: MCP Redirect Regex
type: redirectRegex
config:
permanent: true
regex: "^https://([a-z0-9-]+)\\.(.+)/\\.well-known/(oauth-authorization-server|openid-configuration)(.*)?"
replacement: "https://oauth.${2}/.well-known/${3}${4}"
- id: mcp-security-chain
name: MCP Security Chain
type: chain
config:
middlewares:
- "mcp-cors-headers@file"
- "mcp-redirect-regex@file"
- "mcp-auth@file"
Reference in a new issue View git blame Copy permalink