dotfiles.nix/nixos/viridian/services/traefik/middlewares.nix

58 lines
2 KiB
Nix
Raw Normal View History

2024-08-08 09:02:42 +08:00
{config, ...}: {
# Crowdsec Local API key for the bouncer.
age.secrets.traefik-bouncer-key = {
rekeyFile = ../crowdsec/traefik-bouncer-key.age;
owner = "traefik";
group = "traefik";
};
2023-11-18 16:59:16 +08:00
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
2024-08-08 09:02:42 +08:00
"127.0.0.1/32" # localhost
2024-09-07 15:49:39 +08:00
"192.168.50.1/24" # lan
2023-11-18 16:59:16 +08:00
];
2023-11-18 16:59:16 +08:00
# Restrict access based on geo-location
geoblock.plugin.geoblock = {
2024-03-03 09:58:47 +08:00
silentStartUp = "false";
2023-11-18 16:59:16 +08:00
allowLocalRequests = "true";
# If set to true will show a log message
logLocalRequests = "false";
logAllowedRequests = "false";
logApiRequests = "false";
# Application programming interface
api = "https://get.geojs.io/v1/ip/country/{ip}";
2023-11-20 12:06:37 +08:00
apiTimeoutMs = "750";
2023-11-18 16:59:16 +08:00
# Max size of least recently used cache
cacheSize = "25";
2024-04-01 10:03:27 +08:00
# List of countries to block access
2023-11-18 16:59:16 +08:00
countries = [
2024-04-01 10:03:27 +08:00
"RU" # Russian Federation (the)
2023-11-18 16:59:16 +08:00
];
# Inverts filter logic
2024-04-01 10:03:27 +08:00
blackListMode = "true";
2023-11-18 16:59:16 +08:00
# Unknown Countries (IPs with no country association)
allowUnknownCountries = "false";
unknownCountryApiResponse = "nil";
# Adds the X-IPCountry header to the HTTP request header.
addCountryHeader = "false";
# Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
forceMonthlyUpdate = "true";
};
2024-07-08 22:10:20 +08:00
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking.
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
crowdsec.plugin.bouncer = {
enabled = "true";
crowdsecMode = "appsec";
2024-08-08 09:02:42 +08:00
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;
crowdsecLapiScheme = "http";
crowdsecLapiHost = "127.0.0.1:8080";
crowdsecAppsecEnabled = "true";
crowdsecAppsecHost = "127.0.0.1:7422";
};
2023-11-18 16:59:16 +08:00
};
}