From 41058a9f4dae85635f7945b54cd1469d30f7c5cd Mon Sep 17 00:00:00 2001
From: Jonathan Agmon <jojo@agmon.co.il>
Date: Sat, 25 Oct 2025 10:15:02 +0000
Subject: [PATCH] Fixes for Traefik

---
 frontend/traefik/.env.example |  2 +-
 frontend/traefik/compose.yml  | 21 +++++++++++++--------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/frontend/traefik/.env.example b/frontend/traefik/.env.example
index 3f125aa..1006a49 100644
--- a/frontend/traefik/.env.example
+++ b/frontend/traefik/.env.example
@@ -1,6 +1,6 @@
 DOMAIN_NAME=
 SUBDOMAIN=
-TRAEFIK_USER=
+# TRAEFIK_USER=
 SSL_EMAIL_FILE=/run/secrets/CF_API_EMAIL
 CF_API_EMAIL_FILE=/run/secrets/CF_API_EMAIL
 CF_API_KEY_FILE=/run/secrets/CF_API_KEY
diff --git a/frontend/traefik/compose.yml b/frontend/traefik/compose.yml
index c76a11d..a4f21d5 100644
--- a/frontend/traefik/compose.yml
+++ b/frontend/traefik/compose.yml
@@ -31,19 +31,24 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.traefik_dashboard.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
-      # - traefik.http.routers.traefik_dashboard.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`) && PathPrefix(`/outpost.goauthentik.io/`)
       - traefik.http.routers.traefik_dashboard.entrypoints=websecure
       - traefik.http.routers.traefik_dashboard.service=api@internal
       - traefik.http.routers.traefik_dashboard.tls=true
-      - traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER}
-      - traefik.http.routers.traefik_dashboard.middlewares=myauth@docker
-      # - traefik.http.routers.traefik_dashboard.middlewares=authentik-forwardauth@docker
+      # - traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER}
+      # - traefik.http.routers.traefik_dashboard.middlewares=myauth@docker
+      - traefik.http.routers.traefik_dashboard.middlewares=authentik-forwardauth@docker
       - traefik.http.routers.traefik_dashboard.tls.certresolver=cloudflare
-      # - traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAIN_NAME}
-      # - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAIN_NAME}
-      # - traefik.http.middlewares.myauth.redirectscheme.scheme=https
       - traefik.http.services.traefik_dashboard.loadbalancer.server.port=80
       # - "traefik.http.middlewares.cloudflare-ips.ipallowlist.sourcerange=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
+      - traefik.http.middlewares.traefik_dashboard.headers.SSLRedirect=true
+      - traefik.http.middlewares.traefik_dashboard.headers.STSSeconds=315360000
+      - traefik.http.middlewares.traefik_dashboard.headers.browserXSSFilter=true
+      - traefik.http.middlewares.traefik_dashboard.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.traefik_dashboard.headers.forceSTSHeader=true
+      - traefik.http.middlewares.traefik_dashboard.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.traefik_dashboard.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.traefik_dashboard.headers.STSPreload=true
+      - traefik.http.middlewares.traefik_dashboard.headers.frameDeny=true
     env_file:
       - .env
     secrets:
@@ -81,4 +86,4 @@ networks:
       true
   remote:
     external:
-      true
+      true
\ No newline at end of file