jack
c2f9a0c21c
- Switch Traefik ACME to dnsChallenge (provider: cloudflare) - Add *.csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert - Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env - Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs) - Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo - Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32 Result: one *.csrx.ru cert covers all subdomains, auto-renewed by Traefik. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
109 lines
2.4 KiB
Django/Jinja
109 lines
2.4 KiB
Django/Jinja
# Traefik v3 static configuration
|
|
# Generated by Ansible
|
|
|
|
global:
|
|
checkNewVersion: false
|
|
sendAnonymousUsage: false
|
|
|
|
log:
|
|
level: INFO
|
|
|
|
accessLog:
|
|
filePath: /var/log/traefik/access.log
|
|
bufferingSize: 100
|
|
fields:
|
|
defaultMode: keep
|
|
headers:
|
|
defaultMode: drop
|
|
names:
|
|
User-Agent: keep
|
|
Referer: drop
|
|
|
|
api:
|
|
dashboard: true
|
|
insecure: false
|
|
|
|
ping: {}
|
|
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
forwardedHeaders:
|
|
# Trust Cloudflare IP ranges — they pass real visitor IP in X-Forwarded-For
|
|
trustedIPs:
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
- "2400:cb00::/32"
|
|
- "2606:4700::/32"
|
|
- "2803:f800::/32"
|
|
- "2405:b500::/32"
|
|
- "2405:8100::/32"
|
|
- "2a06:98c0::/29"
|
|
- "2c0f:f248::/32"
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
websecure:
|
|
address: ":443"
|
|
forwardedHeaders:
|
|
trustedIPs:
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
- "2400:cb00::/32"
|
|
- "2606:4700::/32"
|
|
- "2803:f800::/32"
|
|
- "2405:b500::/32"
|
|
- "2405:8100::/32"
|
|
- "2a06:98c0::/29"
|
|
- "2c0f:f248::/32"
|
|
http:
|
|
middlewares:
|
|
- security-headers@file
|
|
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: "{{ acme_email }}"
|
|
storage: /acme/acme.json
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
# Use Cloudflare's own resolvers to avoid propagation delays
|
|
resolvers:
|
|
- "1.1.1.1:53"
|
|
- "1.0.0.1:53"
|
|
|
|
providers:
|
|
file:
|
|
directory: /etc/traefik/dynamic
|
|
watch: true
|
|
|
|
serversTransport:
|
|
insecureSkipVerify: false
|