Traefik Reverse Proxy
Configuration
- Version:Traefik v3.0
- Entrypoints:
web(80),websecure(443)
- SSL:Let's Encrypt (ACME, HTTP-01)
- File-Provider:
/etc/xynap/traefik/conf.d/(Directory mode)
Routing
Middleware-Chain (Standard)
Request → CrowdSec → Security-Headers → Rate-Limit → [Auth-Check] → Backend
Services (with auth-check)
| Service |
Domain: |
Auth |
| Open WebUI |
ai.xynap.tech |
ForwardAuth |
| Status Page |
status.xynap.tech |
ForwardAuth |
| Agent |
agent.xynap.tech |
ForwardAuth |
Open Services
| Service |
Domain: |
Description |
| Platform UI |
platform.xynap.tech |
Own Auth (JWT) |
| Auth Service |
auth.xynap.tech |
Login portal |
| Roundcube |
mail.xynap.tech |
Own Auth |
File provider files
| File |
Contents |
00-base.yml |
Middlewares, xynap-own routes, Services |
hosting-routes.yml |
Customer domain routings generated by Platform API |
Rate limits
| Limit |
Values |
Use |
rate-limit-standard |
50 req/s |
Standard services |
rate-limit-api |
10 req |
API endpoints |
rate-limit-auth |
5 req |
Auth endpoints |
SSL certificates
- Automatically via Let's Encrypt (certResolver:
letsencrypt)
- Traefik SSL-Store is synchronized with Platform-DB at startup
- Customer domains automatically get SSL at Traefik-Route-Erstellung
CrowdSec Integration
Two Bouncers:
- nftables bouncer — IP Level Blocking
- Traefik Plugin— HTTP level blocking (LAPI:
172.23.0.1:8080)