build: front back - fix Traefik config (simplified for reliability)

Author: HMarzban

scripts/traefik/dynamic/middlewares.yml

@@ -1,120 +1,55 @@
 # =============================================================================
 # Traefik Dynamic Configuration - Middleware
 # =============================================================================
-# These middlewares are applied globally or per-route via Docker labels.
-# Changes are hot-reloaded (no restart required).
-# =============================================================================
 
 http:
   middlewares:
     # -------------------------------------------------------------------------
-    # Security Headers (OWASP Recommendations)
+    # Security Headers
     # -------------------------------------------------------------------------
     security-headers:
       headers:
-        # HSTS - Force HTTPS for 1 year
         stsSeconds: 31536000
         stsIncludeSubdomains: true
         stsPreload: true
-
-        # Prevent clickjacking
         frameDeny: true
-
-        # Prevent MIME sniffing
         contentTypeNosniff: true
-
-        # XSS Protection
         browserXssFilter: true
-
-        # Referrer Policy
-        referrerPolicy: 'strict-origin-when-cross-origin'
-
-        # Content Security Policy (adjust as needed)
-        # contentSecurityPolicy: "default-src 'self'"
-
-        # Permissions Policy
-        permissionsPolicy: 'camera=(), microphone=(), geolocation=()'
-
-        # Custom headers
+        referrerPolicy: "strict-origin-when-cross-origin"
         customResponseHeaders:
-          X-Powered-By: '' # Remove server info
-          Server: ''
+          X-Powered-By: ""
+          Server: ""
 
     # -------------------------------------------------------------------------
-    # Compression (Gzip/Brotli)
+    # Compression
     # -------------------------------------------------------------------------
     compress:
       compress:
         excludedContentTypes:
           - text/event-stream
 
     # -------------------------------------------------------------------------
-    # Rate Limiting - Global (adjust for your traffic)
+    # Rate Limiting - Global
     # -------------------------------------------------------------------------
     rate-limit-global:
       rateLimit:
-        average: 100 # Requests per second
-        burst: 200 # Max burst
+        average: 100
+        burst: 200
         period: 1s
-        sourceCriterion:
-          ipStrategy:
-            depth: 1 # Use X-Forwarded-For if behind CDN
 
     # -------------------------------------------------------------------------
-    # Rate Limiting - API (stricter)
+    # Rate Limiting - API
     # -------------------------------------------------------------------------
     rate-limit-api:
       rateLimit:
-        average: 50 # 50 req/s per IP
+        average: 50
         burst: 100
         period: 1s
-        sourceCriterion:
-          ipStrategy:
-            depth: 1
-
-    # -------------------------------------------------------------------------
-    # Rate Limiting - Auth endpoints (very strict)
-    # -------------------------------------------------------------------------
-    rate-limit-auth:
-      rateLimit:
-        average: 5 # 5 req/s per IP
-        burst: 10
-        period: 1s
-        sourceCriterion:
-          ipStrategy:
-            depth: 1
 
     # -------------------------------------------------------------------------
-    # Retry (for transient failures)
+    # Retry
     # -------------------------------------------------------------------------
     retry:
       retry:
         attempts: 3
         initialInterval: 100ms
-
-    # -------------------------------------------------------------------------
-    # Circuit Breaker (prevent cascade failures)
-    # -------------------------------------------------------------------------
-    circuit-breaker:
-      circuitBreaker:
-        expression: 'NetworkErrorRatio() > 0.5 || ResponseCodeRatio(500, 600, 0, 600) > 0.5'
-
-    # -------------------------------------------------------------------------
-    # In-Flight Requests Limit (prevent overload)
-    # -------------------------------------------------------------------------
-    inflight-limit:
-      inFlightReq:
-        amount: 100 # Max concurrent requests per service
-        sourceCriterion:
-          ipStrategy:
-            depth: 1
-
-    # -------------------------------------------------------------------------
-    # Request Buffering (for large uploads)
-    # -------------------------------------------------------------------------
-    buffering:
-      buffering:
-        maxRequestBodyBytes: 52428800 # 50MB
-        memRequestBodyBytes: 2097152 # 2MB in memory
-        maxResponseBodyBytes: 0 # No limit
-        retryExpression: 'IsNetworkError() && Attempts() < 2'

scripts/traefik/traefik.yml

@@ -1,11 +1,6 @@
 # =============================================================================
 # Traefik Static Configuration - Production Ready
 # =============================================================================
-# Scale: Mid-scale (1K-50K concurrent users)
-#
-# Changes to this file require a Traefik restart.
-# Dynamic routing is handled by Docker labels + ./dynamic/
-# =============================================================================
 
 # -----------------------------------------------------------------------------
 # Global Settings
@@ -19,35 +14,27 @@ global:
 # -----------------------------------------------------------------------------
 api:
   dashboard: true
-  insecure: true # Only accessible on localhost:8080
+  insecure: true
 
 # -----------------------------------------------------------------------------
 # Logging
 # -----------------------------------------------------------------------------
 log:
-  level: WARN
+  level: INFO
   format: json
 
 accessLog:
-  filePath: /var/log/traefik/access.log
   format: json
-  bufferingSize: 100
   filters:
     statusCodes:
-      - '400-599'
-  fields:
-    headers:
-      defaultMode: drop
-      names:
-        User-Agent: keep
-        X-Forwarded-For: keep
+      - "400-599"
 
 # -----------------------------------------------------------------------------
 # Entrypoints
 # -----------------------------------------------------------------------------
 entryPoints:
   web:
-    address: ':80'
+    address: ":80"
     http:
       redirections:
         entryPoint:
@@ -56,47 +43,14 @@ entryPoints:
           permanent: true
 
   websecure:
-    address: ':443'
-    http:
-      tls:
-        certResolver: letsencrypt
-        options: modern
-      middlewares:
-        - security-headers@file
-        - compress@file
-    # Connection limits (prevent resource exhaustion)
-    transport:
-      respondingTimeouts:
-        readTimeout: 30s
-        writeTimeout: 30s
-        idleTimeout: 180s
-      lifeCycle:
-        requestAcceptGraceTimeout: 5s
-        graceTimeOut: 10s
-
-# -----------------------------------------------------------------------------
-# TLS Options (Security Hardening)
-# -----------------------------------------------------------------------------
-tls:
-  options:
-    modern:
-      minVersion: VersionTLS12
-      cipherSuites:
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-      sniStrict: true
+    address: ":443"
 
 # -----------------------------------------------------------------------------
 # Certificate Resolvers (Let's Encrypt)
 # -----------------------------------------------------------------------------
 certificatesResolvers:
   letsencrypt:
     acme:
-      # Email set via docker-compose command
       storage: /letsencrypt/acme.json
       httpChallenge:
         entryPoint: web
@@ -111,24 +65,12 @@ providers:
     network: docsplus-network
     watch: true
 
-  # File provider for shared middleware
   file:
     directory: /etc/traefik/dynamic
     watch: true
 
 # -----------------------------------------------------------------------------
 # Health Check
 # -----------------------------------------------------------------------------
-ping: {}
-# -----------------------------------------------------------------------------
-# Metrics (Prometheus) - Optional, uncomment if using
-# -----------------------------------------------------------------------------
-# metrics:
-#   prometheus:
-#     buckets:
-#       - 0.1
-#       - 0.3
-#       - 1.2
-#       - 5.0
-#     addEntryPointsLabels: true
-#     addServicesLabels: true
+ping:
+  entryPoint: web