michaelschiemer/deployment/stacks/traefik/dynamic/middlewares.yml

# Dynamic Middleware Configuration

http:
  middlewares:
    # Security headers for all services
    security-headers-global:
      headers:
        frameDeny: true
        contentTypeNosniff: true
        browserXssFilter: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "SAMEORIGIN"
        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
        referrerPolicy: "strict-origin-when-cross-origin"
        permissionsPolicy: "geolocation=(), microphone=(), camera=()"

    # Compression for better performance
    gzip-compression:
      compress:
        excludedContentTypes:
          - text/event-stream

    # Rate limiting - strict
    rate-limit-strict:
      rateLimit:
        average: 50
        burst: 25
        period: 1s

    # Rate limiting - moderate
    rate-limit-moderate:
      rateLimit:
        average: 100
        burst: 50
        period: 1s

    # Rate limiting - lenient
    rate-limit-lenient:
      rateLimit:
        average: 200
        burst: 100
        period: 1s

    # IP whitelist for admin services (example)
    # Uncomment and adjust for production
    # admin-whitelist:
    #   ipWhiteList:
    #     sourceRange:
    #       - "127.0.0.1/32"
    #       - "10.0.0.0/8"
    
    # VPN-only IP allowlist for Grafana and other monitoring services
    # Restrict access strictly to the WireGuard network
    # Note: ipAllowList checks the real client IP from the connection
    # When connected via VPN, client IP should be from 10.8.0.0/24
    # If client IP shows public IP (e.g., 89.246.96.244), check:
    # 1. VPN connection is active and traffic is routed through VPN
    # 2. DNS uses 10.8.0.1 (VPN DNS server) to resolve grafana.michaelschiemer.de
    # 3. Browser/system routing sends traffic through VPN interface
    grafana-vpn-only:
      ipAllowList:
        sourceRange:
          - "10.8.0.0/24"      # WireGuard VPN network (10.8.0.1 = server, 10.8.0.x = clients)

    # VPN-only IP allowlist for general use (Traefik Dashboard, etc.)
    # Restrict access strictly to the WireGuard network
    vpn-only:
      ipAllowList:
        sourceRange:
          - "10.8.0.0/24"      # WireGuard VPN network

    # Chain multiple middlewares
    default-chain:
      chain:
        middlewares:
          - security-headers-global
          - gzip-compression

    admin-chain:
      chain:
        middlewares:
          - security-headers-global
          - gzip-compression
          - rate-limit-strict
          # - admin-whitelist  # Uncomment for IP whitelisting