configuracion actual

dynamic/amigos-nucleoriofrio.yml

@@ -0,0 +1,41 @@
+# Configuración dinámica para amigos.nucleoriofrio.com
+# Proxy a amigos-app:3001 con autenticación Authentik
+
+http:
+  routers:
+    amigos-nucleoriofrio:
+      rule: "Host(`amigos.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: amigos-nucleoriofrio-service
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - authentik-forward-auth
+        - amigos-headers
+
+  services:
+    amigos-nucleoriofrio-service:
+      loadBalancer:
+        servers:
+          - url: "http://amigos-app:3001"
+        passHostHeader: true
+
+  middlewares:
+    # Forward Auth con Authentik
+    authentik-forward-auth:
+      forwardAuth:
+        address: "http://authentiknucleo-server-1:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-email
+          - X-authentik-uid
+          - Set-Cookie
+
+    # Headers personalizados para amigos
+    amigos-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Scheme: "https"

dynamic/authentik-nucleoriofrio.yml

@@ -0,0 +1,30 @@
+# Configuración dinámica para authentik.nucleoriofrio.com
+# Proxy a authentiknucleo-server-1:9000
+
+http:
+  routers:
+    authentik-nucleoriofrio:
+      rule: "Host(`authentik.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: authentik-nucleoriofrio-service
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - authentik-headers
+
+  services:
+    authentik-nucleoriofrio-service:
+      loadBalancer:
+        servers:
+          - url: "http://authentiknucleo-server-1:9000"
+        passHostHeader: true
+
+  middlewares:
+    authentik-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Scheme: "https"
+        customResponseHeaders:
+          X-Robots-Tag: "noindex, nofollow"

dynamic/gitea.yml

@@ -0,0 +1,17 @@
+# Configuración de Gitea
+
+http:
+  routers:
+    gitea:
+      rule: "Host(`gitea.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: gitea-service
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    gitea-service:
+      loadBalancer:
+        servers:
+          - url: "http://gitea:3000"

dynamic/middlewares.yml

@@ -0,0 +1,71 @@
+# Configuración dinámica - Middlewares
+# Los middlewares procesan las peticiones antes de llegar al servicio
+
+http:
+  middlewares:
+    # Middleware para comprimir respuestas
+    compress:
+      compress: {}
+
+    # Middleware para rate limiting (limitar peticiones)
+    rate-limit:
+      rateLimit:
+        average: 100  # 100 peticiones
+        period: 1s    # por segundo
+        burst: 50     # permite picos de hasta 50
+
+    # Middleware para headers de seguridad
+    security-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customResponseHeaders:
+          X-Powered-By: "Nucleo Rio Frio"
+          Server: ""
+
+    # Middleware para CORS
+    cors:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - POST
+          - PUT
+          - DELETE
+          - OPTIONS
+        accessControlAllowOriginList:
+          - "*"  # CAMBIAR por tus dominios específicos en producción
+        accessControlAllowHeaders:
+          - "*"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+
+    # Middleware para redirección HTTPS
+    redirect-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    # Middleware de autenticación básica de ejemplo
+    # Genera usuarios con: htpasswd -nb usuario password
+    basic-auth-example:
+      basicAuth:
+        users:
+          - "user:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"  # user:password
+        realm: "Área Protegida"
+
+    # Middleware para agregar prefijo a las rutas
+    strip-prefix-api:
+      stripPrefix:
+        prefixes:
+          - "/api"
+
+    # Middleware para timeout
+    timeout:
+      forwardAuth:
+        address: "http://localhost"
+        trustForwardHeader: true

dynamic/musica-nucleoriofrio.yml

@@ -0,0 +1,43 @@
+# Configuración dinámica para musica.nucleoriofrio.com
+# Proxy a repodructor:3000 (Reproductor de música con Nuxt)
+
+http:
+  routers:
+    musica-nucleoriofrio:
+      rule: "Host(`musica.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: musica-nucleoriofrio-service
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - musica-headers
+        - musica-body-size
+
+  services:
+    musica-nucleoriofrio-service:
+      loadBalancer:
+        servers:
+          - url: "http://repodructor:3000"
+        passHostHeader: true
+        # Optimizaciones para streaming
+        responseForwarding:
+          flushInterval: "100ms"
+
+  middlewares:
+    # Headers personalizados para el reproductor
+    musica-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Scheme: "https"
+        customResponseHeaders:
+          X-Frame-Options: "SAMEORIGIN"
+          X-Content-Type-Options: "nosniff"
+          X-XSS-Protection: "1; mode=block"
+          Cache-Control: "public, max-age=3600"
+
+    # Tamaño máximo de body para subir archivos
+    musica-body-size:
+      buffering:
+        maxRequestBodyBytes: 104857600  # 100MB

dynamic/portainer.yml

@@ -0,0 +1,23 @@
+# Configuración de Portainer
+
+http:
+  routers:
+    portainer:
+      rule: "Host(`portainer.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: portainer-service
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    portainer-service:
+      loadBalancer:
+        servers:
+          - url: "https://portainer:9443"
+        serversTransport: portainer-transport
+
+  # Transport para aceptar certificado autofirmado de Portainer
+  serversTransports:
+    portainer-transport:
+      insecureSkipVerify: true

dynamic/wifi-nucleoriofrio.yml

@@ -0,0 +1,45 @@
+# Configuración dinámica para wifi.nucleoriofrio.com
+# Proxy a radiusnucleo-node-1:3000 con soporte SSE y WebSocket
+
+http:
+  routers:
+    wifi-nucleoriofrio:
+      rule: "Host(`wifi.nucleoriofrio.com`)"
+      entryPoints:
+        - websecure
+      service: wifi-nucleoriofrio-service
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - wifi-headers
+
+  services:
+    wifi-nucleoriofrio-service:
+      loadBalancer:
+        servers:
+          - url: "http://radiusnucleo-node-1:3000"
+        # Configuración para Server-Sent Events (SSE)
+        passHostHeader: true
+        responseForwarding:
+          flushInterval: 1ms  # Para SSE - envía datos inmediatamente
+        serversTransport: wifi-transport
+
+  # Middleware para headers específicos
+  middlewares:
+    wifi-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Scheme: "https"
+        # No agregar security headers que puedan interferir con SSE
+
+  # Transport específico para SSE y WebSocket
+  serversTransports:
+    wifi-transport:
+      serverName: radiusnucleo-node-1
+      insecureSkipVerify: false
+      # Timeouts largos para SSE
+      forwardingTimeouts:
+        dialTimeout: 30s
+        responseHeaderTimeout: 0s  # Sin timeout para headers de respuesta (SSE)
+        idleConnTimeout: 90s