38cc8ba5c2
All checks were successful
Deploy to Staging / Build Images (pull_request) Successful in 4m50s
Deploy to Staging / Deploy to Staging (pull_request) Successful in 1m1s
Deploy to Staging / Verify Staging (pull_request) Successful in 2m36s
Deploy to Staging / Notify Staging Ready (pull_request) Successful in 8s
Deploy to Staging / Notify Staging Failure (pull_request) Has been skipped
The request-id middleware used {{ .Request.Host }} which is not available
at config load time in the file provider. This template error blocked
the entire file provider from loading, preventing all file-based
middlewares (including grafana-ipwhitelist) from being registered.
The middleware was unused (not referenced by any router or chain) and
the backend already generates X-Request-Id via randomUUID().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
173 lines
4.4 KiB
YAML
Executable File
173 lines
4.4 KiB
YAML
Executable File
http:
|
|
middlewares:
|
|
# Security headers middleware
|
|
secure-headers:
|
|
headers:
|
|
accessControlAllowMethods:
|
|
- GET
|
|
- OPTIONS
|
|
- PUT
|
|
- POST
|
|
- DELETE
|
|
accessControlAllowOriginList:
|
|
- "https://admin.motovaultpro.com"
|
|
- "https://motovaultpro.com"
|
|
accessControlMaxAge: 100
|
|
addVaryHeader: true
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 31536000
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: https
|
|
|
|
# CORS middleware for API endpoints
|
|
cors:
|
|
headers:
|
|
accessControlAllowCredentials: true
|
|
accessControlAllowHeaders:
|
|
- "Authorization"
|
|
- "Content-Type"
|
|
- "X-Requested-With"
|
|
- "X-Tenant-ID"
|
|
- "X-Request-Id"
|
|
accessControlAllowMethods:
|
|
- "GET"
|
|
- "POST"
|
|
- "PUT"
|
|
- "DELETE"
|
|
- "OPTIONS"
|
|
accessControlAllowOriginList:
|
|
- "https://admin.motovaultpro.com"
|
|
- "https://motovaultpro.com"
|
|
accessControlMaxAge: 100
|
|
|
|
# API authentication middleware
|
|
api-auth:
|
|
forwardAuth:
|
|
address: "http://admin-backend:3001/auth/verify"
|
|
authResponseHeaders:
|
|
- "X-Auth-User"
|
|
- "X-Auth-Roles"
|
|
- "X-Tenant-ID"
|
|
authRequestHeaders:
|
|
- "Authorization"
|
|
- "X-Tenant-ID"
|
|
trustForwardHeader: true
|
|
|
|
# Platform API authentication middleware
|
|
platform-auth:
|
|
forwardAuth:
|
|
address: "http://admin-backend:3001/auth/verify-platform"
|
|
authResponseHeaders:
|
|
- "X-Service-Name"
|
|
- "X-Auth-Scope"
|
|
authRequestHeaders:
|
|
- "X-API-Key"
|
|
- "Authorization"
|
|
trustForwardHeader: true
|
|
|
|
# Rate limiting middleware
|
|
rate-limit:
|
|
rateLimit:
|
|
burst: 100
|
|
average: 50
|
|
period: 1m
|
|
|
|
# Request/response size limits
|
|
size-limit:
|
|
buffering:
|
|
maxRequestBodyBytes: 26214400 # 25MB
|
|
maxResponseBodyBytes: 26214400 # 25MB
|
|
|
|
# IP whitelist for development (optional)
|
|
local-ips:
|
|
ipAllowList:
|
|
sourceRange:
|
|
- "127.0.0.1/32"
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
- "192.168.0.0/16"
|
|
|
|
# Advanced security headers for production
|
|
security-headers-strict:
|
|
headers:
|
|
accessControlAllowCredentials: false
|
|
accessControlAllowMethods:
|
|
- GET
|
|
- POST
|
|
- OPTIONS
|
|
accessControlAllowOriginList:
|
|
- "https://admin.motovaultpro.com"
|
|
- "https://motovaultpro.com"
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: https
|
|
customResponseHeaders:
|
|
X-Frame-Options: DENY
|
|
X-Content-Type-Options: nosniff
|
|
Referrer-Policy: strict-origin-when-cross-origin
|
|
Permissions-Policy: "geolocation=(), microphone=(), camera=()"
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 31536000
|
|
|
|
# Circuit breaker for reliability
|
|
circuit-breaker:
|
|
circuitBreaker:
|
|
expression: "NetworkErrorRatio() > 0.3 || ResponseCodeRatio(500, 600, 0, 600) > 0.3"
|
|
checkPeriod: 30s
|
|
fallbackDuration: 10s
|
|
recoveryDuration: 30s
|
|
|
|
# Request retry for resilience
|
|
retry-policy:
|
|
retry:
|
|
attempts: 3
|
|
initialInterval: 100ms
|
|
|
|
# Compress responses for performance
|
|
compression:
|
|
compress: {}
|
|
|
|
# Health check middleware chain
|
|
health-check-chain:
|
|
chain:
|
|
middlewares:
|
|
- compression
|
|
- secure-headers
|
|
|
|
# API middleware chain
|
|
api-chain:
|
|
chain:
|
|
middlewares:
|
|
- compression
|
|
- security-headers-strict
|
|
- cors
|
|
- rate-limit
|
|
- api-auth
|
|
- retry-policy
|
|
|
|
# Platform API middleware chain
|
|
platform-chain:
|
|
chain:
|
|
middlewares:
|
|
- compression
|
|
- security-headers-strict
|
|
- rate-limit
|
|
- platform-auth
|
|
- circuit-breaker
|
|
- retry-policy
|
|
|
|
# Public frontend middleware chain
|
|
frontend-chain:
|
|
chain:
|
|
middlewares:
|
|
- compression
|
|
- secure-headers |