http:
  middlewares:

    redirect:
      redirectScheme:
        permanent: true
        scheme: https

    httpsredirect:
      redirectScheme:
        permanent: true
        scheme: https

    default-headers:
      headers:
        frameDeny: true
        #  sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 155520011
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: no-referrer

    auth:
      basicAuth:
        users:
          - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0"
          - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0"
        realm: "Traefik 2 Basic Auth"

    localNetwork:
      ipWhiteList:
        sourceRange:
          - "127.0.0.1/32"
          - "10.0.0.1/8"

    middlewares-https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    middlewares-basic-auth:
      basicAuth:
        users:
          - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0"
          - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0"
          # usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
        realm: "Traefik 2 Basic Auth"

    middlewares-authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://authelia.milvert.com"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"

    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50

    middlewares-compress:
      compress: {}

    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
    middlewares-buffering:
      buffering:
        maxResponseBodyBytes: 2000000
        maxRequestBodyBytes: 10485760
        memRequestBodyBytes: 2097152
        memResponseBodyBytes: 2097152
        retryExpression: "IsNetworkError() && Attempts() <= 2"


    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        # customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr.
        customFrameOptionsValue: "allow-from https://milvert.com" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
        # sslForceHost: true # add sslHost to all of the services
        # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}"
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""
          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
          # X-Forwarded-Proto: "https"