Zum Inhalt

Traefik Reverse Proxy

Konfiguration

  • Version: Traefik v3.0
  • Entrypoints: web (80), websecure (443)
  • SSL: Let's Encrypt (ACME, HTTP-01)
  • File-Provider: /etc/xynap/traefik/conf.d/ (Directory-Modus)

Routing

Middleware-Chain (Standard)

Request → CrowdSec → Security-Headers → Rate-Limit → [Auth-Check] → Backend

Geschuetzte Services (mit auth-check)

Service Domain Auth
Open WebUI ai.xynap.tech ForwardAuth
Status Page status.xynap.tech ForwardAuth
Agent agent.xynap.tech ForwardAuth

Offene Services

Service Domain Beschreibung
Platform UI platform.xynap.tech Eigene Auth (JWT)
Auth Service auth.xynap.tech Login-Portal
Roundcube mail.xynap.tech Eigene Auth

File-Provider Dateien

Datei Inhalt
00-base.yml Middlewares, xynap-eigene Routen, Services
hosting-routes.yml Von Platform-API generierte Kunden-Domain-Routen

Rate-Limits

Limit Werte Verwendung
rate-limit-standard 50 req/s Standard-Services
rate-limit-api 10 req/s API-Endpoints
rate-limit-auth 5 req/s Auth-Endpoints

SSL-Zertifikate

  • Automatisch via Let's Encrypt (certResolver: letsencrypt)
  • Traefik SSL-Store wird bei Startup mit Platform-DB synchronisiert
  • Kunden-Domains bekommen automatisch SSL bei Traefik-Route-Erstellung

CrowdSec Integration

Zwei Bouncer:

  1. nftables bouncer — IP-Level Blocking
  2. Traefik Plugin — HTTP-Level Blocking (LAPI: 172.23.0.1:8080)