# Traefik CRD middleware for rate limiting apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: rate-limit namespace: honeydue spec: rateLimit: average: 100 burst: 200 period: 1m --- # Security headers apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: security-headers namespace: honeydue spec: headers: frameDeny: true contentTypeNosniff: true browserXssFilter: true referrerPolicy: "strict-origin-when-cross-origin" customResponseHeaders: X-Content-Type-Options: "nosniff" X-Frame-Options: "DENY" Strict-Transport-Security: "max-age=31536000; includeSubDomains" Content-Security-Policy: "default-src 'self'; frame-ancestors 'none'" Permissions-Policy: "camera=(), microphone=(), geolocation=()" X-Permitted-Cross-Domain-Policies: "none" --- # Cloudflare IP allowlist (restrict origin to Cloudflare only) # https://www.cloudflare.com/ips-v4 and /ips-v6 # Update periodically: curl -s https://www.cloudflare.com/ips-v4 && curl -s https://www.cloudflare.com/ips-v6 apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: cloudflare-only namespace: honeydue spec: ipAllowList: sourceRange: # Cloudflare IPv4 ranges - 173.245.48.0/20 - 103.21.244.0/22 - 103.22.200.0/22 - 103.31.4.0/22 - 141.101.64.0/18 - 108.162.192.0/18 - 190.93.240.0/20 - 188.114.96.0/20 - 197.234.240.0/22 - 198.41.128.0/17 - 162.158.0.0/15 - 104.16.0.0/13 - 104.24.0.0/14 - 172.64.0.0/13 - 131.0.72.0/22 # Cloudflare IPv6 ranges - 2400:cb00::/32 - 2606:4700::/32 - 2803:f800::/32 - 2405:b500::/32 - 2405:8100::/32 - 2a06:98c0::/29 - 2c0f:f248::/32 --- # Admin basic auth — additional auth layer for admin panel # Secret created by 02-setup-secrets.sh from config.yaml credentials apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: admin-auth namespace: honeydue spec: basicAuth: secret: admin-basic-auth realm: "honeyDue Admin"