72 lines
1.4 KiB
YAML
72 lines
1.4 KiB
YAML
# Recommended Traefik Middlewares for RDP Web Gateway
|
|
# Apply these in your Traefik namespace or the same namespace as web-gateway
|
|
|
|
---
|
|
# Redirect HTTP to HTTPS
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: redirect-to-https
|
|
spec:
|
|
redirectScheme:
|
|
scheme: https
|
|
permanent: true
|
|
|
|
---
|
|
# Security Headers
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: security-headers
|
|
spec:
|
|
headers:
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 31536000
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
customResponseHeaders:
|
|
X-Forwarded-Proto: "https"
|
|
# Allow WebSocket upgrade
|
|
Connection: "upgrade"
|
|
Upgrade: "$http_upgrade"
|
|
|
|
---
|
|
# Rate Limiting (adjust as needed)
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: rate-limit
|
|
spec:
|
|
rateLimit:
|
|
average: 100
|
|
burst: 50
|
|
period: 1s
|
|
|
|
---
|
|
# IP Whitelist (optional - restrict to specific IPs/ranges)
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: ip-whitelist
|
|
spec:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
- 192.168.1.0/24
|
|
- 10.0.0.0/8
|
|
# For use behind a proxy/load balancer
|
|
ipStrategy:
|
|
depth: 1
|
|
|
|
---
|
|
# Compression
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: compression
|
|
spec:
|
|
compress: {}
|