http: middlewares: # Request ID forwarding middleware # Note: Traefik v3 lacks native UUID generation # Backend generates X-Request-Id if not present in request # This middleware ensures the header is forwarded when present request-id: headers: customRequestHeaders: X-Forwarded-Host: "{{ .Request.Host }}" # X-Request-Id forwarded automatically via passthrough # Backend responsibility: generate UUID if header missing # Security headers middleware secure-headers: headers: accessControlAllowMethods: - GET - OPTIONS - PUT - POST - DELETE accessControlAllowOriginList: - "https://admin.motovaultpro.com" - "https://motovaultpro.com" accessControlMaxAge: 100 addVaryHeader: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true frameDeny: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 customRequestHeaders: X-Forwarded-Proto: https # CORS middleware for API endpoints cors: headers: accessControlAllowCredentials: true accessControlAllowHeaders: - "Authorization" - "Content-Type" - "X-Requested-With" - "X-Tenant-ID" - "X-Request-Id" accessControlAllowMethods: - "GET" - "POST" - "PUT" - "DELETE" - "OPTIONS" accessControlAllowOriginList: - "https://admin.motovaultpro.com" - "https://motovaultpro.com" accessControlMaxAge: 100 # API authentication middleware api-auth: forwardAuth: address: "http://admin-backend:3001/auth/verify" authResponseHeaders: - "X-Auth-User" - "X-Auth-Roles" - "X-Tenant-ID" authRequestHeaders: - "Authorization" - "X-Tenant-ID" trustForwardHeader: true # Platform API authentication middleware platform-auth: forwardAuth: address: "http://admin-backend:3001/auth/verify-platform" authResponseHeaders: - "X-Service-Name" - "X-Auth-Scope" authRequestHeaders: - "X-API-Key" - "Authorization" trustForwardHeader: true # Rate limiting middleware rate-limit: rateLimit: burst: 100 average: 50 period: 1m # Request/response size limits size-limit: buffering: maxRequestBodyBytes: 26214400 # 25MB maxResponseBodyBytes: 26214400 # 25MB # IP whitelist for development (optional) local-ips: ipWhiteList: sourceRange: - "127.0.0.1/32" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" # Advanced security headers for production security-headers-strict: headers: accessControlAllowCredentials: false accessControlAllowMethods: - GET - POST - OPTIONS accessControlAllowOriginList: - "https://admin.motovaultpro.com" - "https://motovaultpro.com" browserXssFilter: true contentTypeNosniff: true customRequestHeaders: X-Forwarded-Proto: https customResponseHeaders: X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: "geolocation=(), microphone=(), camera=()" forceSTSHeader: true frameDeny: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 # Circuit breaker for reliability circuit-breaker: circuitBreaker: expression: "NetworkErrorRatio() > 0.3 || ResponseCodeRatio(500, 600, 0, 600) > 0.3" checkPeriod: 30s fallbackDuration: 10s recoveryDuration: 30s # Request retry for resilience retry-policy: retry: attempts: 3 initialInterval: 100ms # Compress responses for performance compression: compress: {} # Health check middleware chain health-check-chain: chain: middlewares: - compression - secure-headers # API middleware chain api-chain: chain: middlewares: - compression - security-headers-strict - cors - rate-limit - api-auth - retry-policy # Platform API middleware chain platform-chain: chain: middlewares: - compression - security-headers-strict - rate-limit - platform-auth - circuit-breaker - retry-policy # Public frontend middleware chain frontend-chain: chain: middlewares: - compression - secure-headers