Skip to content

Commit 324cd5e

Browse files
committed
build: front back - fix Traefik config (simplified for reliability)
1 parent c09f384 commit 324cd5e

File tree

2 files changed

+18
-141
lines changed

2 files changed

+18
-141
lines changed
Lines changed: 11 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -1,120 +1,55 @@
11
# =============================================================================
22
# Traefik Dynamic Configuration - Middleware
33
# =============================================================================
4-
# These middlewares are applied globally or per-route via Docker labels.
5-
# Changes are hot-reloaded (no restart required).
6-
# =============================================================================
74

85
http:
96
middlewares:
107
# -------------------------------------------------------------------------
11-
# Security Headers (OWASP Recommendations)
8+
# Security Headers
129
# -------------------------------------------------------------------------
1310
security-headers:
1411
headers:
15-
# HSTS - Force HTTPS for 1 year
1612
stsSeconds: 31536000
1713
stsIncludeSubdomains: true
1814
stsPreload: true
19-
20-
# Prevent clickjacking
2115
frameDeny: true
22-
23-
# Prevent MIME sniffing
2416
contentTypeNosniff: true
25-
26-
# XSS Protection
2717
browserXssFilter: true
28-
29-
# Referrer Policy
30-
referrerPolicy: 'strict-origin-when-cross-origin'
31-
32-
# Content Security Policy (adjust as needed)
33-
# contentSecurityPolicy: "default-src 'self'"
34-
35-
# Permissions Policy
36-
permissionsPolicy: 'camera=(), microphone=(), geolocation=()'
37-
38-
# Custom headers
18+
referrerPolicy: "strict-origin-when-cross-origin"
3919
customResponseHeaders:
40-
X-Powered-By: '' # Remove server info
41-
Server: ''
20+
X-Powered-By: ""
21+
Server: ""
4222

4323
# -------------------------------------------------------------------------
44-
# Compression (Gzip/Brotli)
24+
# Compression
4525
# -------------------------------------------------------------------------
4626
compress:
4727
compress:
4828
excludedContentTypes:
4929
- text/event-stream
5030

5131
# -------------------------------------------------------------------------
52-
# Rate Limiting - Global (adjust for your traffic)
32+
# Rate Limiting - Global
5333
# -------------------------------------------------------------------------
5434
rate-limit-global:
5535
rateLimit:
56-
average: 100 # Requests per second
57-
burst: 200 # Max burst
36+
average: 100
37+
burst: 200
5838
period: 1s
59-
sourceCriterion:
60-
ipStrategy:
61-
depth: 1 # Use X-Forwarded-For if behind CDN
6239

6340
# -------------------------------------------------------------------------
64-
# Rate Limiting - API (stricter)
41+
# Rate Limiting - API
6542
# -------------------------------------------------------------------------
6643
rate-limit-api:
6744
rateLimit:
68-
average: 50 # 50 req/s per IP
45+
average: 50
6946
burst: 100
7047
period: 1s
71-
sourceCriterion:
72-
ipStrategy:
73-
depth: 1
74-
75-
# -------------------------------------------------------------------------
76-
# Rate Limiting - Auth endpoints (very strict)
77-
# -------------------------------------------------------------------------
78-
rate-limit-auth:
79-
rateLimit:
80-
average: 5 # 5 req/s per IP
81-
burst: 10
82-
period: 1s
83-
sourceCriterion:
84-
ipStrategy:
85-
depth: 1
8648

8749
# -------------------------------------------------------------------------
88-
# Retry (for transient failures)
50+
# Retry
8951
# -------------------------------------------------------------------------
9052
retry:
9153
retry:
9254
attempts: 3
9355
initialInterval: 100ms
94-
95-
# -------------------------------------------------------------------------
96-
# Circuit Breaker (prevent cascade failures)
97-
# -------------------------------------------------------------------------
98-
circuit-breaker:
99-
circuitBreaker:
100-
expression: 'NetworkErrorRatio() > 0.5 || ResponseCodeRatio(500, 600, 0, 600) > 0.5'
101-
102-
# -------------------------------------------------------------------------
103-
# In-Flight Requests Limit (prevent overload)
104-
# -------------------------------------------------------------------------
105-
inflight-limit:
106-
inFlightReq:
107-
amount: 100 # Max concurrent requests per service
108-
sourceCriterion:
109-
ipStrategy:
110-
depth: 1
111-
112-
# -------------------------------------------------------------------------
113-
# Request Buffering (for large uploads)
114-
# -------------------------------------------------------------------------
115-
buffering:
116-
buffering:
117-
maxRequestBodyBytes: 52428800 # 50MB
118-
memRequestBodyBytes: 2097152 # 2MB in memory
119-
maxResponseBodyBytes: 0 # No limit
120-
retryExpression: 'IsNetworkError() && Attempts() < 2'

scripts/traefik/traefik.yml

Lines changed: 7 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,6 @@
11
# =============================================================================
22
# Traefik Static Configuration - Production Ready
33
# =============================================================================
4-
# Scale: Mid-scale (1K-50K concurrent users)
5-
#
6-
# Changes to this file require a Traefik restart.
7-
# Dynamic routing is handled by Docker labels + ./dynamic/
8-
# =============================================================================
94

105
# -----------------------------------------------------------------------------
116
# Global Settings
@@ -19,35 +14,27 @@ global:
1914
# -----------------------------------------------------------------------------
2015
api:
2116
dashboard: true
22-
insecure: true # Only accessible on localhost:8080
17+
insecure: true
2318

2419
# -----------------------------------------------------------------------------
2520
# Logging
2621
# -----------------------------------------------------------------------------
2722
log:
28-
level: WARN
23+
level: INFO
2924
format: json
3025

3126
accessLog:
32-
filePath: /var/log/traefik/access.log
3327
format: json
34-
bufferingSize: 100
3528
filters:
3629
statusCodes:
37-
- '400-599'
38-
fields:
39-
headers:
40-
defaultMode: drop
41-
names:
42-
User-Agent: keep
43-
X-Forwarded-For: keep
30+
- "400-599"
4431

4532
# -----------------------------------------------------------------------------
4633
# Entrypoints
4734
# -----------------------------------------------------------------------------
4835
entryPoints:
4936
web:
50-
address: ':80'
37+
address: ":80"
5138
http:
5239
redirections:
5340
entryPoint:
@@ -56,47 +43,14 @@ entryPoints:
5643
permanent: true
5744

5845
websecure:
59-
address: ':443'
60-
http:
61-
tls:
62-
certResolver: letsencrypt
63-
options: modern
64-
middlewares:
65-
- security-headers@file
66-
- compress@file
67-
# Connection limits (prevent resource exhaustion)
68-
transport:
69-
respondingTimeouts:
70-
readTimeout: 30s
71-
writeTimeout: 30s
72-
idleTimeout: 180s
73-
lifeCycle:
74-
requestAcceptGraceTimeout: 5s
75-
graceTimeOut: 10s
76-
77-
# -----------------------------------------------------------------------------
78-
# TLS Options (Security Hardening)
79-
# -----------------------------------------------------------------------------
80-
tls:
81-
options:
82-
modern:
83-
minVersion: VersionTLS12
84-
cipherSuites:
85-
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
86-
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
87-
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
88-
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
89-
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
90-
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
91-
sniStrict: true
46+
address: ":443"
9247

9348
# -----------------------------------------------------------------------------
9449
# Certificate Resolvers (Let's Encrypt)
9550
# -----------------------------------------------------------------------------
9651
certificatesResolvers:
9752
letsencrypt:
9853
acme:
99-
# Email set via docker-compose command
10054
storage: /letsencrypt/acme.json
10155
httpChallenge:
10256
entryPoint: web
@@ -111,24 +65,12 @@ providers:
11165
network: docsplus-network
11266
watch: true
11367

114-
# File provider for shared middleware
11568
file:
11669
directory: /etc/traefik/dynamic
11770
watch: true
11871

11972
# -----------------------------------------------------------------------------
12073
# Health Check
12174
# -----------------------------------------------------------------------------
122-
ping: {}
123-
# -----------------------------------------------------------------------------
124-
# Metrics (Prometheus) - Optional, uncomment if using
125-
# -----------------------------------------------------------------------------
126-
# metrics:
127-
# prometheus:
128-
# buckets:
129-
# - 0.1
130-
# - 0.3
131-
# - 1.2
132-
# - 5.0
133-
# addEntryPointsLabels: true
134-
# addServicesLabels: true
75+
ping:
76+
entryPoint: web

0 commit comments

Comments
 (0)