http:
  middlewares:
    real-ip:
      plugin:
        traefik-warp:
          logLevel: "INFO"
          trustIp: []  # TraefikWarp auto-fetches Cloudflare ranges

    geoblock:
      plugin:
        geoblock:
          silentStartUp: false
          allowLocalRequests: true
          logLocalRequests: false
          logAllowedRequests: false
          logApiRequests: false
          api: "https://get.geojs.io/v1/ip/country/{ip}"
          apiTimeoutMs: 500
          cacheSize: 25
          forceMonthlyUpdate: true
          allowUnknownCountries: false
          unknownCountryApiResponse: "nil"
          countries:
            - "US"
            - "DE"

    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer:
          enabled: true
          crowdsecMode: stream
          crowdsecLapiKey: '{{ env "CROWDSEC_BOUNCER_API_KEY" }}'
          crowdsecLapiHost: "crowdsec:8080"
          crowdsecLapiScheme: "http"
          crowdsecAppsecEnabled: true
          crowdsecAppsecHost: "crowdsec:7422"
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true

    security-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "strict-origin-when-cross-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=()"
        customFrameOptionsValue: "SAMEORIGIN"

    rate-limit:
      rateLimit:
        average: 100   # requests per second sustained
        burst: 50      # allowed spike above average
        period: 1s