# Dynamic Middleware Configuration

http:
  middlewares:
    # Security headers for all services
    security-headers-global:
      headers:
        frameDeny: true
        contentTypeNosniff: true
        browserXssFilter: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "SAMEORIGIN"
        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
        referrerPolicy: "strict-origin-when-cross-origin"
        permissionsPolicy: "geolocation=(), microphone=(), camera=()"

    # Compression for better performance
    gzip-compression:
      compress:
        excludedContentTypes:
          - text/event-stream

    # Rate limiting - strict
    rate-limit-strict:
      rateLimit:
        average: 50
        burst: 25
        period: 1s

    # Rate limiting - moderate
    rate-limit-moderate:
      rateLimit:
        average: 100
        burst: 50
        period: 1s

    # Rate limiting - lenient
    rate-limit-lenient:
      rateLimit:
        average: 200
        burst: 100
        period: 1s

    # IP whitelist for admin services (example)
    # Uncomment and adjust for production
    # admin-whitelist:
    #   ipWhiteList:
    #     sourceRange:
    #       - "127.0.0.1/32"
    #       - "10.0.0.0/8"
    
    # Chain multiple middlewares
    default-chain:
      chain:
        middlewares:
          - security-headers-global
          - gzip-compression

    admin-chain:
      chain:
        middlewares:
          - security-headers-global
          - gzip-compression
          - rate-limit-strict
          # - admin-whitelist  # Uncomment for IP whitelisting