Track config files for CI/CD deployment

Config files were previously gitignored, causing CI/CD pipeline to fail because Docker would create directories instead of mounting the expected files. - Remove config/** from .gitignore - Track all config files (secrets still ignored) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-18 13:28:27 -06:00
parent a991c01f64
commit 667632f54b
9 changed files with 931 additions and 5 deletions
--- a/config/traefik/middleware.yml
+++ b/config/traefik/middleware.yml
@@ -0,0 +1,180 @@
+http:
+  middlewares:
+    # Security headers middleware
+    secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+          - POST
+          - DELETE
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    # CORS middleware for API endpoints
+    cors:
+      headers:
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders:
+          - "Authorization"
+          - "Content-Type"
+          - "X-Requested-With"
+          - "X-Tenant-ID"
+        accessControlAllowMethods:
+          - "GET"
+          - "POST"
+          - "PUT"
+          - "DELETE"
+          - "OPTIONS"
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+
+    # API authentication middleware
+    api-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify"
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Roles"
+          - "X-Tenant-ID"
+        authRequestHeaders:
+          - "Authorization"
+          - "X-Tenant-ID"
+        trustForwardHeader: true
+
+    # Platform API authentication middleware
+    platform-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify-platform"
+        authResponseHeaders:
+          - "X-Service-Name"
+          - "X-Auth-Scope"
+        authRequestHeaders:
+          - "X-API-Key"
+          - "Authorization"
+        trustForwardHeader: true
+
+    # Rate limiting middleware
+    rate-limit:
+      rateLimit:
+        burst: 100
+        average: 50
+        period: 1m
+
+    # Request/response size limits
+    size-limit:
+      buffering:
+        maxRequestBodyBytes: 10485760  # 10MB
+        maxResponseBodyBytes: 10485760  # 10MB
+
+    # IP whitelist for development (optional)
+    local-ips:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"
+
+    # Advanced security headers for production
+    security-headers-strict:
+      headers:
+        accessControlAllowCredentials: false
+        accessControlAllowMethods:
+          - GET
+          - POST
+          - OPTIONS
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        browserXssFilter: true
+        contentTypeNosniff: true
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+        customResponseHeaders:
+          X-Frame-Options: DENY
+          X-Content-Type-Options: nosniff
+          Referrer-Policy: strict-origin-when-cross-origin
+          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+
+    # Circuit breaker for reliability
+    circuit-breaker:
+      circuitBreaker:
+        expression: "NetworkErrorRatio() > 0.3 || ResponseCodeRatio(500, 600, 0, 600) > 0.3"
+        checkPeriod: 30s
+        fallbackDuration: 10s
+        recoveryDuration: 30s
+
+    # Request retry for resilience
+    retry-policy:
+      retry:
+        attempts: 3
+        initialInterval: 100ms
+
+    # Timeout middleware
+    timeout:
+      timeout: 30s
+
+    # Compress responses for performance
+    compression:
+      compress: {}
+
+    # Health check middleware chain
+    health-check-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers
+          - timeout
+
+    # API middleware chain
+    api-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - cors
+          - rate-limit
+          - api-auth
+          - retry-policy
+          - timeout
+
+    # Platform API middleware chain
+    platform-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - rate-limit
+          - platform-auth
+          - circuit-breaker
+          - retry-policy
+          - timeout
+
+    # Public frontend middleware chain
+    frontend-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers
+          - timeout