fileConfig.yml Example

Now if we were to put everything together into our dynamic Traefik config file, it would look something like the below. Use your favourite method for adding/editing the file and paste in the below. In our example we will use the simple command line file editor nano. Anywhere you see YOURDOMAIN.COM, make sure to change that out for your own domain.

nano /mnt/user/appdata/traefik/fileConfig.yml

fileConfig.yml

http:

  ## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
  routers:
    # Homeassistant routing - Remove if not used
    homeassistant:
      entryPoints:
        - https
      rule: 'Host(`homeassistant.domain.com`)'
      service: homeassistant
      middlewares:
        - "auth"  
  ## SERVICES ##
  services:
    # Homeassistant service - Remove if not used
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.60.5:8123/

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 127.0.0.1/32 # localhost
          - 192.168.1.1/24 # LAN Subnet
  
    # Authelia guard
    auth:
      forwardauth:
        address: http://auth:9091/api/verify?rd=https://auth.domain.com/ # replace auth with your authelia container name
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email
  
    # Authelia basic auth guard
    auth-basic:
      forwardauth:
        address: http://auth:9091/api/verify?auth=basic # replace auth with your authelia container name
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
 
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6              
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Previoustraefik.yml Example NextProxying Your First App

Last updated 2 years ago

Was this helpful?

http: ## EXTERNAL ROUTING - Only use if you want to proxy something manually ## routers: # Homeassistant routing - Remove if not used homeassistant: entryPoints: - https rule: 'Host(`homeassistant.domain.com`)' service: homeassistant middlewares: - "auth" ## SERVICES ## services: # Homeassistant service - Remove if not used homeassistant: loadBalancer: servers: - url: http://192.168.60.5:8123/ ## MIDDLEWARES ## middlewares: # Only Allow Local networks local-ipwhitelist: ipWhiteList: sourceRange: - 127.0.0.1/32 # localhost - 192.168.1.1/24 # LAN Subnet # Authelia guard auth: forwardauth: address: http://auth:9091/api/verify?rd=https://auth.domain.com/ # replace auth with your authelia container name trustForwardHeader: true authResponseHeaders: - Remote-User - Remote-Groups - Remote-Name - Remote-Email # Authelia basic auth guard auth-basic: forwardauth: address: http://auth:9091/api/verify?auth=basic # replace auth with your authelia container name trustForwardHeader: true authResponseHeaders: - Remote-User - Remote-Groups - Remote-Name - Remote-Email # Security headers securityHeaders: headers: customResponseHeaders: X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" X-Forwarded-Proto: "https" server: "" customRequestHeaders: X-Forwarded-Proto: "https" sslProxyHeaders: X-Forwarded-Proto: "https" referrerPolicy: "same-origin" hostsProxyHeaders: - "X-Forwarded-Host" contentTypeNosniff: true browserXssFilter: true forceSTSHeader: true stsIncludeSubdomains: true stsSeconds: 63072000 stsPreload: true # Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6 tls: options: default: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305