middlewares

infrastructure/03-traefik/base/deployment.yaml

@@ -38,13 +38,13 @@ spec:
           - --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0
 
           - --entrypoints.websecure-local.address=:443/tcp
-          - --entrypoints.websecure-local.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-local.http.middlewares=no-auth-chain
           - --entrypoints.websecure-local.http.tls=true
           - --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
           - --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0
 
           - --entrypoints.websecure-front.address=:8443/tcp
-          - --entrypoints.websecure-front.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-front.http.middlewares=no-auth-chain
           - --entrypoints.websecure-front.http.tls=true
           - --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
           - --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0
@@ -59,7 +59,7 @@ spec:
           - --metrics.prometheus=true
           - --metrics.prometheus.entrypoint=metrics
           - --providers.kubernetescrd
-          # - --providers.kubernetescrd.labelSelector=local=true
+          - --providers.kubernetescrd.labelSelector=local=true
           - --providers.kubernetescrd.allowExternalNameServices=true
           
           - --accesslog=false

infrastructure/03-traefik/base/kustomization.yaml

@@ -9,6 +9,6 @@ resources:
 - deployment.yaml
 - networking
 - security
-- mid-default-headers.yaml
+- middlewares
 - namespace.yaml
 - pvc.yaml

infrastructure/03-traefik/base/mid-authentik.yaml

@@ -1,21 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: authentik-middleware
-  namespace: traefik
-spec:
-  forwardAuth:
-    address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders:
-            - X-authentik-username
-            - X-authentik-groups
-            - X-authentik-email
-            - X-authentik-name
-            - X-authentik-uid
-            - X-authentik-jwt
-            - X-authentik-meta-jwks
-            - X-authentik-meta-outpost
-            - X-authentik-meta-provider
-            - X-authentik-meta-app
-            - X-authentik-meta-version

infrastructure/03-traefik/base/mid-no-auth.yaml

@@ -1,37 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: no-auth
-  namespace: traefik
-
-spec:
-  mid_error:
-    errors:
-      status:
-        - "400-599"
-      service: "srv_web@docker"
-      query: "https://steffenillium.de"
-
-  mid_compress:
-    compress: {}
-
-  mid_rate_limit:
-    rateLimit:
-      average: 50
-      burst: 200
-
-  mid_auth:
-    forwardAuth:
-      address: "http://oauth:4181"
-      trustForwardHeader: true
-      authResponseHeaders:
-        - "X-Forwarded-User"
-
-  noauth:
-    chain:
-      middlewares:
-        - mid_rate_limit
-        - mid_compress
-        - crowdsec
-        # - mid_error
-

infrastructure/03-traefik/base/middlewares/authentik.yaml

@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-middleware
+  namespace: traefik
+spec:
+  forwardAuth:
+    address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version

infrastructure/03-traefik/base/middlewares/compress.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: compress
+  namespace: traefik
+spec:
+  compress: {}

infrastructure/03-traefik/base/middlewares/default-headers.yaml

@@ -3,7 +3,6 @@ kind: Middleware
 metadata:
   name: default-headers
   namespace: traefik
-
 spec:
   headers:
     browserXssFilter: true

infrastructure/03-traefik/base/middlewares/error.yaml

@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: error
+  namespace: traefik
+spec:
+  errors:
+    status:
+      - "400-599"
+    service: 
+      name: website
+      port: 80
+    query: "https://steffenillium.de/404.html"

infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: no-auth-chain
+  namespace: traefik
+spec:
+  chain:
+    middlewares:
+      - rate_limit
+      - compress
+      - error
+      - xfwd_exclude
+      - default-headers
+      

infrastructure/03-traefik/base/middlewares/rate-limit.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rate_limit
+  namespace: traefik
+spec:
+  rateLimit:
+    average: 50
+    burst: 200

infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml

@@ -0,0 +1,11 @@
+# Exclude from `X-Forwarded-For`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: xfwd_exclude
+spec:
+  ipWhiteList:
+    ipStrategy:
+      excludedIPs:
+        - 127.0.0.1/32
+        - 10.0.0.0/8