Docker-Compose/Proxy_Containers/traefik/traefik.yaml

api:
  dashboard: false
  debug: false  # never true in production
  insecure: false  # explicit

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: :443
    forwardedHeaders:
      trustedIPs:
        - "173.245.48.0/20"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "141.101.64.0/18"
        - "108.162.192.0/18"
        - "190.93.240.0/20"
        - "188.114.96.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
        - "162.158.0.0/15"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "172.64.0.0/13"
        - "131.0.72.0/22"
        - "2400:cb00::/32"
        - "2606:4700::/32"
        - "2803:f800::/32"
        - "2405:b500::/32"
        - "2405:8100::/32"
        - "2a06:98c0::/29"
        - "2c0f:f248::/32"
    http:
      middlewares:
        - real-ip@file
        - geoblock@file
        - rate-limit@file
        - crowdsec-bouncer@file
        - security-headers@file

providers:
  docker:
    endpoint: "tcp://socket-proxy:2375"  # not the unix socket
    exposedByDefault: false
  file:
    filename: /config.yaml
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: "noreply@gabesville.com"
      storage: /var/traefik/certs/cloudflare-acme.json
      caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"

log:
  level: "INFO"
  filePath: "/var/log/traefik/traefik.log"
  maxSize: 100    # MB per file
  maxBackups: 3   # keep last 3 rotated files
  maxAge: 7       # days before deletion
  compress: true  # gzip rotated files
accessLog:
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100
  filters:
    statusCodes:
      - "400-599"  # only log errors — reduces volume significantly

global:
  checkNewVersion: false
  sendAnonymousUsage: false

experimental:
  plugins:
    crowdsec-bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.5.1"
    traefik-warp:
      moduleName: "github.com/l4rm4nd/traefik-warp"
      version: "v1.1.5"
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.3.3"