mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-03-28 19:22:33 -04:00
e7689459f2
* Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme
60 lines
2.0 KiB
YAML
60 lines
2.0 KiB
YAML
version: "2.4"
|
|
|
|
volumes:
|
|
traefik-letsencrypt:
|
|
traefik-tmp:
|
|
|
|
services:
|
|
|
|
traefik:
|
|
image: traefik:2.10
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
logging:
|
|
options:
|
|
max-size: 10m
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
networks:
|
|
- network
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- traefik-tmp:/tmp
|
|
- traefik-letsencrypt:/etc/traefik/acme
|
|
- ./traefik/tls.yaml:/etc/traefik/tls.yaml:ro
|
|
command:
|
|
- --global.sendAnonymousUsage
|
|
- --accesslog=true
|
|
- --api=false
|
|
- --providers.docker=true
|
|
- --providers.docker.exposedByDefault=false
|
|
- --log.level=INFO
|
|
- --entryPoints.http.address=:80
|
|
- --entryPoints.https.address=:443
|
|
- --entryPoints.http.http.redirections.entryPoint.to=https
|
|
- --entryPoints.http.http.redirections.entryPoint.scheme=https
|
|
- --certificatesResolvers.letsEncrypt.acme.storage=/etc/traefik/acme/acme.json
|
|
- --certificatesResolvers.letsEncrypt.acme.email=${ADMIN_EMAIL}
|
|
- --certificatesResolvers.letsEncrypt.acme.tlsChallenge=true
|
|
- --providers.file.filename=/etc/traefik/tls.yaml
|
|
labels:
|
|
- traefik.enable=false
|
|
|
|
freshrss:
|
|
environment:
|
|
TRUSTED_PROXY: 172.16.0.1/12
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.middlewares.freshrssM1.compress=true
|
|
- traefik.http.middlewares.freshrssM2.headers.browserXssFilter=true
|
|
- traefik.http.middlewares.freshrssM2.headers.forceSTSHeader=true
|
|
- traefik.http.middlewares.freshrssM2.headers.frameDeny=true
|
|
- traefik.http.middlewares.freshrssM2.headers.referrerPolicy=no-referrer-when-downgrade
|
|
- traefik.http.middlewares.freshrssM2.headers.stsSeconds=31536000
|
|
- traefik.http.routers.freshrss.entryPoints=https
|
|
- traefik.http.routers.freshrss.middlewares=freshrssM1,freshrssM2
|
|
- traefik.http.routers.freshrss.rule=Host(`${SERVER_DNS}`)
|
|
- traefik.http.routers.freshrss.tls.certResolver=letsEncrypt
|
|
- traefik.http.routers.freshrss.tls=true
|