[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
      middlewares = ["security-headers@file"{% if inventory_hostname not in groups.docker_tuleap %}, "limit@file"{% endif %}, "compression@file"]
      [entryPoints.websecure.http.tls]
        options = "default"
        certResolver = "le"

[providers]
  [providers.docker]
    endpoint = "http://dockersocket:2375"
    exposedByDefault = false
    network = "inverseproxy_shared"
  [providers.file]
    directory = "/etc/traefik"

[log]
  level = "INFO"

[accesslog]
  filePath = "/var/log/traefik/access.log"
  [accessLog.fields]
    defaultMode = "keep"
    [accessLog.fields.headers]
      defaultMode = "keep"
    [accessLog.fields.names]
      StartUTC = "drop"
    [accessLog.filters]
      statusCodes = "400-499"

[certificatesResolvers]
  [certificatesResolvers.le]
    [certificatesResolvers.le.acme]
      email = "{{ default_maintenance_email }}"
      storage = "/etc/traefik/acme/acme.json"
      [certificatesResolvers.le.acme.tlsChallenge]

[http]
  [http.middlewares]
    [http.middlewares.security-headers.headers]
      browserXssFilter = true
      contentTypeNosniff = true
      referrerPolicy = "same-origin"
      forceSTSHeader = true
{% if not cloud_onlyoffice and not allow_iframe %}
      frameDeny = true
      customFrameOptionsValue = "SAMEORIGIN"
{% endif %}
      stsIncludeSubdomains = true
      stsPreload = true
      stsSeconds = 15552000
      [http.middlewares.security-headers.headers.customResponseHeaders]
        server = "" # Removes
    [http.middlewares.compression.compress]
    [http.middlewares.limit.buffering]
      retryExpression = "IsNetworkError() && Attempts() < 5"
    [http.middlewares.auth.basicAuth]
      users = ["{{ host_user }}:{{ srv_proxy_pass | password_hash('apr_md5_crypt', 65534 | random(seed=inventory_hostname) | string) }}"]
    [http.middlewares.smtp-stripprefix.stripprefix]
      prefixes = ["/smtp"]
    [http.middlewares.norobot-headers.headers]
      [http.middlewares.norobot-headers.headers.customResponseHeaders]
        X-Robots-Tag = "noindex, nofollow"

[tls]
  [tls.options]
    [tls.options.default]
      minVersion = "VersionTLS12"
      sniStrict = true
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_AES_256_GCM_SHA384",
        "TLS_AES_128_GCM_SHA256",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
    ]