From 84a03ab386b083a15718e67ff9203b24cabf5b71 Mon Sep 17 00:00:00 2001
From: josedario87 <jodarioel87@gmail.com>
Date: Sun, 5 Oct 2025 04:01:15 -0600
Subject: [PATCH] que paso?

---
 .claude/settings.local.json   |    0
 .env.example                  |    0
 .gitignore                    |    0
 CLOUDFLARE.md                 |  291 ++++++++
 README.md                     |    0
 docker-compose.yml            |    0
 dynamic/middlewares.yml       |    0
 examples/existing-service.yml |    0
 examples/whoami-service.yml   |    0
 planV1.md                     | 1274 +++++++++++++++++++++++++++++++++
 traefik/traefik.yml           |    0
 11 files changed, 1565 insertions(+)
 mode change 100755 => 100644 .claude/settings.local.json
 mode change 100755 => 100644 .env.example
 mode change 100755 => 100644 .gitignore
 create mode 100644 CLOUDFLARE.md
 mode change 100755 => 100644 README.md
 mode change 100755 => 100644 docker-compose.yml
 mode change 100755 => 100644 dynamic/middlewares.yml
 mode change 100755 => 100644 examples/existing-service.yml
 mode change 100755 => 100644 examples/whoami-service.yml
 create mode 100644 planV1.md
 mode change 100755 => 100644 traefik/traefik.yml

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
old mode 100755
new mode 100644
diff --git a/.env.example b/.env.example
old mode 100755
new mode 100644
diff --git a/.gitignore b/.gitignore
old mode 100755
new mode 100644
diff --git a/CLOUDFLARE.md b/CLOUDFLARE.md
new file mode 100644
index 0000000..d82186a
--- /dev/null
+++ b/CLOUDFLARE.md
@@ -0,0 +1,291 @@
+# Traefik + Cloudflare Tunnel - Configuración
+
+Esta guía explica cómo funciona Traefik detrás de Cloudflare Tunnel y cómo obtener las IPs reales de los visitantes.
+
+## 🌐 Arquitectura
+
+```
+Internet → Cloudflare (SSL/DDoS) → Cloudflare Tunnel → Traefik (443) → Contenedores
+```
+
+## 📍 IPs Reales de Visitantes
+
+### ¿Cómo funciona?
+
+Cuando un usuario visita tu sitio:
+
+1. **Cloudflare recibe la conexión** y conoce la IP real del visitante
+2. **Cloudflare envía la IP real en headers HTTP:**
+   - `CF-Connecting-IP`: IP real del cliente ✅ (más confiable)
+   - `X-Forwarded-For`: Cadena de proxies
+   - `X-Real-IP`: IP real (alternativa)
+3. **Traefik lee estos headers** y los pasa a tus aplicaciones
+
+### Configuración aplicada
+
+Ya está configurado en `traefik/traefik.yml`:
+
+```yaml
+entryPoints:
+  websecure:
+    forwardedHeaders:
+      trustedIPs:
+        - "173.245.48.0/20"  # Rangos de IPs de Cloudflare
+        - "103.21.244.0/22"
+        # ... etc (23 rangos en total)
+```
+
+Esto le dice a Traefik: **"Confía en los headers de IPs que vienen de Cloudflare"**
+
+### ✅ Verificar que funciona
+
+1. **Inicia Traefik:**
+   ```bash
+   docker compose up -d
+   ```
+
+2. **Verifica los logs de acceso:**
+   ```bash
+   docker compose logs traefik | grep "CF-Connecting-IP"
+   ```
+
+3. **Deberías ver la IP real en los logs:**
+   ```json
+   {
+     "ClientAddr": "173.245.48.5:12345",  // IP de Cloudflare
+     "headers": {
+       "CF-Connecting-IP": "187.123.45.67"  // ← IP REAL del visitante
+     }
+   }
+   ```
+
+## 🔍 Leer IP real desde tus aplicaciones
+
+### Node.js / Express
+
+```javascript
+app.get('/', (req, res) => {
+  const realIP = req.headers['cf-connecting-ip']
+                 || req.headers['x-forwarded-for']?.split(',')[0]
+                 || req.connection.remoteAddress;
+
+  console.log('IP real del visitante:', realIP);
+});
+```
+
+### Python / Flask
+
+```python
+from flask import Flask, request
+
+@app.route('/')
+def index():
+    real_ip = request.headers.get('CF-Connecting-IP') \
+              or request.headers.get('X-Forwarded-For', '').split(',')[0] \
+              or request.remote_addr
+
+    print(f'IP real del visitante: {real_ip}')
+```
+
+### Go / Gin
+
+```go
+func handler(c *gin.Context) {
+    realIP := c.GetHeader("CF-Connecting-IP")
+    if realIP == "" {
+        realIP = c.ClientIP()
+    }
+
+    fmt.Printf("IP real del visitante: %s\n", realIP)
+}
+```
+
+### PHP
+
+```php
+<?php
+$real_ip = $_SERVER['HTTP_CF_CONNECTING_IP']
+           ?? explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])[0]
+           ?? $_SERVER['REMOTE_ADDR'];
+
+echo "IP real del visitante: $real_ip";
+```
+
+### Nginx (dentro de contenedor)
+
+Si tienes nginx dentro de un contenedor detrás de Traefik:
+
+```nginx
+server {
+    location / {
+        # Traefik ya pasó los headers, solo léelos
+        set $real_ip $http_cf_connecting_ip;
+
+        # O usa el módulo real_ip
+        real_ip_header CF-Connecting-IP;
+
+        # Loguea la IP real
+        access_log /var/log/nginx/access.log combined;
+    }
+}
+```
+
+## 🛡️ Seguridad
+
+### ¿Por qué confiar solo en IPs de Cloudflare?
+
+La configuración `trustedIPs` es crucial para **evitar IP spoofing**:
+
+❌ **Sin trustedIPs:**
+```
+Atacante envía: X-Forwarded-For: 1.1.1.1
+Traefik cree que la IP real es 1.1.1.1 (FALSO)
+```
+
+✅ **Con trustedIPs (configurado):**
+```
+Si la petición viene de 192.168.1.1 (no es IP de Cloudflare):
+  → Traefik IGNORA el header X-Forwarded-For
+  → Usa la IP de conexión real
+
+Si viene de 173.245.48.5 (IP de Cloudflare):
+  → Traefik CONFÍA en CF-Connecting-IP ✅
+```
+
+### Actualizar rangos de IPs de Cloudflare
+
+Cloudflare publica sus IPs oficiales:
+
+```bash
+# IPv4
+curl https://www.cloudflare.com/ips-v4
+
+# IPv6
+curl https://www.cloudflare.com/ips-v6
+```
+
+Si Cloudflare agrega nuevos rangos, actualiza `traefik/traefik.yml`.
+
+## 🔐 SSL/TLS con Cloudflare
+
+### Opciones de SSL en Cloudflare
+
+En el dashboard de Cloudflare → SSL/TLS, tienes 3 opciones:
+
+1. **Flexible** (❌ No recomendado)
+   - Cloudflare ↔ Cliente: HTTPS ✅
+   - Cloudflare ↔ Traefik: HTTP ❌
+   - Vulnerable a ataques man-in-the-middle
+
+2. **Full** (⚠️ Aceptable)
+   - Cloudflare ↔ Cliente: HTTPS ✅
+   - Cloudflare ↔ Traefik: HTTPS ✅ (autofirmado OK)
+   - Más seguro
+
+3. **Full (Strict)** (✅ Recomendado)
+   - Cloudflare ↔ Cliente: HTTPS ✅
+   - Cloudflare ↔ Traefik: HTTPS con certificado válido ✅
+   - Máxima seguridad
+
+### Tu configuración actual
+
+Con Cloudflare Tunnel apuntando a puerto **443**:
+
+- Cloudflare → Tunnel → Traefik:443 (HTTPS)
+- Traefik puede usar:
+  - **Certificados Let's Encrypt** (ya configurado en `traefik.yml`)
+  - O certificados autofirmados para el túnel
+
+**Recomendación**: Usar **Full** o **Full (Strict)** en Cloudflare.
+
+## 📊 Monitoreo de IPs
+
+### Ver IPs en logs de Traefik
+
+```bash
+# Ver logs en tiempo real con IPs
+docker compose logs -f traefik
+
+# Filtrar solo IPs de Cloudflare
+docker compose logs traefik | grep "CF-Connecting-IP"
+
+# Ver estadísticas de IPs únicas
+docker exec traefik cat /var/log/traefik/access.log | \
+  jq -r '.headers["CF-Connecting-IP"]' | \
+  sort | uniq -c | sort -rn
+```
+
+### Dashboard de Traefik
+
+El dashboard muestra:
+- ❌ IP de Cloudflare (173.245.x.x) en "Client Address"
+- ✅ IP real disponible en logs JSON
+
+## 🧪 Prueba rápida
+
+Después de iniciar Traefik:
+
+```bash
+# 1. Simular petición desde "fuera" (pasando por Cloudflare)
+curl -H "CF-Connecting-IP: 187.123.45.67" \
+     -H "Host: whoami.nucleoriofrio.com" \
+     http://localhost
+
+# 2. Ver los logs y buscar la IP
+docker compose logs traefik | tail -20
+```
+
+## ❓ FAQ
+
+### ¿Necesito certificados SSL si uso Cloudflare?
+
+**Para el tunnel NO** (Cloudflare maneja SSL público), **pero sí es recomendable** para:
+- Seguridad adicional Cloudflare ↔ Traefik
+- Servicios internos
+- Modo Full (Strict) de Cloudflare
+
+### ¿Puedo bloquear acceso directo al puerto 443?
+
+**SÍ, deberías hacerlo**:
+
+```bash
+# Firewall: permitir solo Cloudflare IPs en 443
+sudo ufw allow from 173.245.48.0/20 to any port 443
+sudo ufw allow from 103.21.244.0/22 to any port 443
+# ... agregar todos los rangos
+
+# O usar iptables
+sudo iptables -A INPUT -p tcp --dport 443 -s 173.245.48.0/20 -j ACCEPT
+sudo iptables -A INPUT -p tcp --dport 443 -j DROP
+```
+
+Esto asegura que **solo Cloudflare** pueda llegar a Traefik.
+
+### ¿Qué pasa si la IP en logs es de Cloudflare?
+
+Verifica:
+
+1. **Headers en logs:** `grep "CF-Connecting-IP" access.log`
+2. **trustedIPs configurado:** Revisa `traefik.yml`
+3. **Cloudflare enviando headers:** Verifica en Cloudflare dashboard
+
+### ¿Los rangos de IP de Cloudflare cambian?
+
+Sí, ocasionalmente. Verifica periódicamente:
+
+```bash
+curl https://www.cloudflare.com/ips-v4
+```
+
+Y actualiza `traefik.yml` si hay cambios.
+
+## 📚 Referencias
+
+- [Cloudflare IP Ranges](https://www.cloudflare.com/ips/)
+- [Traefik ForwardedHeaders](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers)
+- [Cloudflare Headers](https://developers.cloudflare.com/fundamentals/reference/http-request-headers/)
+
+---
+
+**Última actualización**: Octubre 2025
+**Rangos de IP Cloudflare verificados**: Octubre 2025
diff --git a/README.md b/README.md
old mode 100755
new mode 100644
diff --git a/docker-compose.yml b/docker-compose.yml
old mode 100755
new mode 100644
diff --git a/dynamic/middlewares.yml b/dynamic/middlewares.yml
old mode 100755
new mode 100644
diff --git a/examples/existing-service.yml b/examples/existing-service.yml
old mode 100755
new mode 100644
diff --git a/examples/whoami-service.yml b/examples/whoami-service.yml
old mode 100755
new mode 100644
diff --git a/planV1.md b/planV1.md
new file mode 100644
index 0000000..941bd5b
--- /dev/null
+++ b/planV1.md
@@ -0,0 +1,1274 @@
+# Guía de Migración: Nginx Proxy Manager → Traefik
+
+**Fecha**: 5 de Octubre, 2025
+**Servidor**: nucleo002
+**Configuraciones Extraídas**: 18 Proxy Hosts
+
+---
+
+## 📋 Índice
+
+1. [Resumen de Configuraciones NPM](#resumen-de-configuraciones-npm)
+2. [Configuración Base de Traefik](#configuración-base-de-traefik)
+3. [Traducción de Cada Proxy Host](#traducción-de-cada-proxy-host)
+4. [Middlewares Comunes](#middlewares-comunes)
+5. [Certificados SSL](#certificados-ssl)
+6. [Docker Compose Completo](#docker-compose-completo)
+7. [Scripts de Migración](#scripts-de-migración)
+
+---
+
+## 1. Resumen de Configuraciones NPM
+
+### Proxy Hosts Detectados
+
+| ID | Dominio | Backend | Puerto | SSL | Características Especiales |
+|----|---------|---------|--------|-----|----------------------------|
+| 2 | portainer.interno.com | portainer | 9443 | Custom | - |
+| 3 | gitea.interno.com | gitea | 3000 | Custom | - |
+| 4 | geoids.interno.com | geo-ids | 443 | Custom | **Authentik SSO** |
+| 5 | amigos.nucleoriofrio.com | amigos-app | 3001 | Let's Encrypt | **Authentik SSO** (parcial) |
+| 7 | whatsappbot.interno.com | whatsapp-router | 3001 | Custom | - |
+| 8 | conversation-layer.interno.com | - | - | Custom | - |
+| 9 | Nginx.interno.com | npm | 81 | Custom | Admin Panel |
+| 10 | planilla.interno.com | planilla-ui | 80 | Custom | **Multi-location** (/, /api, /mcp, /events) |
+| 11 | nucleobot.interno.com | whatsapp-router | 3001 | Custom | - |
+| 16 | nucleoriofrio.com | z590.interno.com | 3000 | Let's Encrypt | **Custom locations** (/api/chat/stream, /api/chat/) |
+| 17 | musica.interno.com | z590.interno.com | 3000 | Custom | **HTTP/2**, **HMR**, Multiple locations |
+| 18 | musica.nucleoriofrio.com | repodructor | 3000 | Let's Encrypt | Multiple locations, Cache headers |
+| 19 | snatchgame.interno.com | z590.interno.com | 3004 | Custom | **7 locations** (/ws, /colyseus, /api/*) |
+| 20 | snatchgame.nucleoriofrio.com | snatchgame | 2567 | Let's Encrypt | **6 locations**, Asset caching |
+| 21 | duplicati.interno.com | duplicati | - | Custom | - |
+| 22 | internet.nucleoriofrio.com | z590.interno.com | 80 | Let's Encrypt | - |
+| 23 | wifi.nucleoriofrio.com | radiusnucleo-node-1 | - | Let's Encrypt | - |
+
+### Características Globales
+
+- **HSTS**: Habilitado en todos (`max-age=63072000; preload`)
+- **Force SSL**: Mayoría de hosts
+- **Block Exploits**: Todos
+- **WebSocket Support**: Habilitado donde se necesita
+- **HTTP/2**: Solo musica.interno.com
+
+---
+
+## 2. Configuración Base de Traefik
+
+### 2.1 Docker Compose - Traefik
+
+```yaml
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v3.1
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - principal
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"  # Dashboard
+    environment:
+      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}  # Si usas Cloudflare
+      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN}
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/traefik.yml:ro
+      - ./config/:/config/:ro
+      - ./acme.json:/acme.json
+      - ./certificates/:/certificates/:ro
+    labels:
+      - "traefik.enable=true"
+
+      # Dashboard
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.interno.com`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=https"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      - "traefik.http.routers.traefik-dashboard.middlewares=auth@file"
+
+networks:
+  principal:
+    external: true
+```
+
+### 2.2 traefik.yml (Static Configuration)
+
+```yaml
+api:
+  dashboard: true
+  debug: false
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+          permanent: true
+
+  https:
+    address: ":443"
+    http:
+      tls:
+        options: default
+        certResolver: letsencrypt
+        domains:
+          - main: "*.interno.com"
+          - main: "*.nucleoriofrio.com"
+    http2:
+      maxConcurrentStreams: 250
+
+  metrics:
+    address: ":8082"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: principal
+    watch: true
+
+  file:
+    directory: /config
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@nucleoriofrio.com
+      storage: /acme.json
+      httpChallenge:
+        entryPoint: http
+      # O para wildcard con DNS challenge:
+      # dnsChallenge:
+      #   provider: cloudflare
+      #   delayBeforeCheck: 0
+
+  custom:
+    acme:
+      tlsChallenge: {}
+      storage: /acme.json
+
+# Global HTTP settings
+serversTransport:
+  insecureSkipVerify: true  # Solo si usas certificados autofirmados en backend
+
+# Logging
+log:
+  level: INFO
+  filePath: /logs/traefik.log
+  format: json
+
+accessLog:
+  filePath: /logs/access.log
+  format: json
+  bufferingSize: 100
+
+# Metrics (opcional)
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    entryPoint: metrics
+```
+
+---
+
+## 3. Traducción de Cada Proxy Host
+
+### 3.1 Portainer (portainer.interno.com)
+
+**NPM Original**:
+- Backend: `portainer:9443` (HTTPS)
+- SSL: Custom certificate
+- Force SSL
+
+**Traefik Labels**:
+
+```yaml
+# En docker-compose del stack portainer
+services:
+  portainer:
+    # ... resto de config
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.interno.com`)"
+      - "traefik.http.routers.portainer.entrypoints=https"
+      - "traefik.http.routers.portainer.tls=true"
+      - "traefik.http.routers.portainer.tls.certresolver=custom"
+
+      - "traefik.http.services.portainer.loadbalancer.server.port=9443"
+      - "traefik.http.services.portainer.loadbalancer.server.scheme=https"
+
+      # Middlewares
+      - "traefik.http.routers.portainer.middlewares=hsts-headers,block-exploits"
+    networks:
+      - principal
+```
+
+---
+
+### 3.2 Gitea (gitea.interno.com)
+
+**NPM Original**:
+- Backend: `gitea:3000` (HTTP)
+- SSL: Custom
+- No Force SSL
+
+**Traefik Labels**:
+
+```yaml
+services:
+  gitea:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.interno.com`)"
+      - "traefik.http.routers.gitea.entrypoints=https"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=custom"
+
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+
+      - "traefik.http.routers.gitea.middlewares=hsts-headers,block-exploits"
+    networks:
+      - principal
+```
+
+---
+
+### 3.3 GeoIDs con Authentik SSO (geoids.interno.com)
+
+**NPM Original**:
+- Backend: `geo-ids:443` (HTTPS)
+- Auth: Authentik via `auth_request`
+- WebSocket support
+- Custom buffers
+
+**Traefik Labels + Middleware File**:
+
+```yaml
+services:
+  geo-ids:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.geoids.rule=Host(`geoids.interno.com`)"
+      - "traefik.http.routers.geoids.entrypoints=https"
+      - "traefik.http.routers.geoids.tls=true"
+      - "traefik.http.routers.geoids.tls.certresolver=custom"
+
+      - "traefik.http.services.geoids.loadbalancer.server.port=443"
+      - "traefik.http.services.geoids.loadbalancer.server.scheme=https"
+
+      # Middlewares (orden importa!)
+      - "traefik.http.routers.geoids.middlewares=authentik-geoids@file,hsts-headers,websocket-headers"
+    networks:
+      - principal
+```
+
+**Middleware File** (`/config/middlewares-authentik.yml`):
+
+```yaml
+http:
+  middlewares:
+    authentik-geoids:
+      forwardAuth:
+        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/nginx"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-authentik-username"
+          - "X-authentik-groups"
+          - "X-authentik-email"
+          - "X-authentik-name"
+          - "X-authentik-uid"
+          - "Set-Cookie"
+```
+
+---
+
+### 3.4 Planilla Multi-Location (planilla.interno.com)
+
+**NPM Original**:
+- `/` → `planilla-ui:80`
+- `/api` → `planilla-api:4000`
+- `/mcp` → `planilla-mcp:5000`
+- `/events` → `planilla-api:4000`
+- WebSocket en todos
+
+**Traefik Dynamic Config** (`/config/planilla.yml`):
+
+```yaml
+http:
+  routers:
+    planilla-ui:
+      rule: "Host(`planilla.interno.com`)"
+      entryPoints:
+        - https
+      service: planilla-ui-svc
+      middlewares:
+        - hsts-headers
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 1
+
+    planilla-api:
+      rule: "Host(`planilla.interno.com`) && PathPrefix(`/api`)"
+      entryPoints:
+        - https
+      service: planilla-api-svc
+      middlewares:
+        - hsts-headers
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 10
+
+    planilla-mcp:
+      rule: "Host(`planilla.interno.com`) && PathPrefix(`/mcp`)"
+      entryPoints:
+        - https
+      service: planilla-mcp-svc
+      middlewares:
+        - hsts-headers
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 10
+
+    planilla-events:
+      rule: "Host(`planilla.interno.com`) && PathPrefix(`/events`)"
+      entryPoints:
+        - https
+      service: planilla-api-svc  # Mismo que /api
+      middlewares:
+        - hsts-headers
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 10
+
+  services:
+    planilla-ui-svc:
+      loadBalancer:
+        servers:
+          - url: "http://planilla-ui:80"
+
+    planilla-api-svc:
+      loadBalancer:
+        servers:
+          - url: "http://planilla-api:4000"
+
+    planilla-mcp-svc:
+      loadBalancer:
+        servers:
+          - url: "http://planilla-mcp:5000"
+```
+
+---
+
+### 3.5 Música con HMR (musica.interno.com)
+
+**NPM Original**:
+- HTTP/2: ON
+- Multiple locations: `/_nuxt/`, `/__nuxt_devtools__/`, `/api/`
+- WebSocket para HMR
+- Proxy buffering OFF
+- Large client body
+
+**Traefik Config** (`/config/musica.yml`):
+
+```yaml
+http:
+  routers:
+    musica-nuxt:
+      rule: "Host(`musica.interno.com`) && PathPrefix(`/_nuxt/`)"
+      entryPoints:
+        - https
+      service: musica-z590-svc
+      middlewares:
+        - websocket-headers
+        - no-buffering
+      tls:
+        certResolver: custom
+      priority: 20
+
+    musica-devtools:
+      rule: "Host(`musica.interno.com`) && PathPrefix(`/__nuxt_devtools__/`)"
+      entryPoints:
+        - https
+      service: musica-z590-svc
+      middlewares:
+        - websocket-headers
+        - no-buffering
+      tls:
+        certResolver: custom
+      priority: 20
+
+    musica-api:
+      rule: "Host(`musica.interno.com`) && PathPrefix(`/api/`)"
+      entryPoints:
+        - https
+      service: musica-z590-svc
+      middlewares:
+        - no-buffering
+        - large-timeout
+      tls:
+        certResolver: custom
+      priority: 15
+
+    musica-root:
+      rule: "Host(`musica.interno.com`)"
+      entryPoints:
+        - https
+      service: musica-z590-svc
+      middlewares:
+        - hsts-headers
+      tls:
+        certResolver: custom
+      priority: 1
+
+  services:
+    musica-z590-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.87.135:3000"  # z590.interno.com
+        passHostHeader: true
+
+  middlewares:
+    no-buffering:
+      buffering:
+        maxRequestBodyBytes: 104857600  # 100MB
+        memRequestBodyBytes: 104857600
+        maxResponseBodyBytes: 0  # Sin límite
+        memResponseBodyBytes: 0
+        retryExpression: "IsNetworkError() && Attempts() < 2"
+
+    large-timeout:
+      buffering:
+        maxRequestBodyBytes: 104857600
+      # Los timeouts se configuran en service o entrypoint
+```
+
+---
+
+### 3.6 SnatchGame Complejo (snatchgame.interno.com)
+
+**NPM Original**:
+- 7 locations diferentes
+- WebSocket en todos
+- Asset caching
+
+**Traefik Config** (`/config/snatchgame.yml`):
+
+```yaml
+http:
+  routers:
+    snatch-ws:
+      rule: "Host(`snatchgame.interno.com`) && PathPrefix(`/ws`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - websocket-headers
+        - asset-cache
+      tls:
+        certResolver: custom
+      priority: 30
+
+    snatch-colyseus:
+      rule: "Host(`snatchgame.interno.com`) && PathPrefix(`/colyseus`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - websocket-headers
+        - asset-cache
+      tls:
+        certResolver: custom
+      priority: 25
+
+    snatch-api-stream:
+      rule: "Host(`snatchgame.interno.com`) && Path(`/api/dashboard-stream`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 40
+
+    snatch-api-uuids-stream:
+      rule: "Host(`snatchgame.interno.com`) && Path(`/api/uuids-stream`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - websocket-headers
+      tls:
+        certResolver: custom
+      priority: 40
+
+    snatch-api-admin:
+      rule: "Host(`snatchgame.interno.com`) && PathPrefix(`/api/admin/`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - asset-cache
+      tls:
+        certResolver: custom
+      priority: 35
+
+    snatch-api-wildcard:
+      rule: "Host(`snatchgame.interno.com`) && PathRegexp(`^/api/.*`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - asset-cache
+      tls:
+        certResolver: custom
+      priority: 20
+
+    snatch-root:
+      rule: "Host(`snatchgame.interno.com`)"
+      entryPoints:
+        - https
+      service: snatch-z590-svc
+      middlewares:
+        - hsts-headers
+        - asset-cache
+      tls:
+        certResolver: custom
+      priority: 1
+
+  services:
+    snatch-z590-svc:
+      loadBalancer:
+        servers:
+          - url: "http://z590.interno.com:3004"
+```
+
+---
+
+### 3.7 Nucleoriofrio.com con API Chat
+
+**NPM Original**:
+- `/api/chat/stream` → Streaming con buffering OFF
+- `/api/chat/` → API normal
+- CORS headers
+- Large timeouts
+
+**Traefik Config** (`/config/nucleoriofrio.yml`):
+
+```yaml
+http:
+  routers:
+    nucleo-chat-stream:
+      rule: "Host(`nucleoriofrio.com`) && Path(`/api/chat/stream`)"
+      entryPoints:
+        - https
+      service: nucleo-z590-alt-svc
+      middlewares:
+        - no-buffering
+        - cors-permissive
+        - large-timeout
+      tls:
+        certResolver: letsencrypt
+      priority: 50
+
+    nucleo-chat-api:
+      rule: "Host(`nucleoriofrio.com`) && PathPrefix(`/api/chat/`)"
+      entryPoints:
+        - https
+      service: nucleo-z590-alt-svc
+      middlewares:
+        - cors-permissive
+      tls:
+        certResolver: letsencrypt
+      priority: 40
+
+    nucleo-root:
+      rule: "Host(`nucleoriofrio.com`)"
+      entryPoints:
+        - https
+      service: nucleo-z590-svc
+      middlewares:
+        - hsts-headers
+      tls:
+        certResolver: letsencrypt
+      priority: 1
+
+  services:
+    nucleo-z590-svc:
+      loadBalancer:
+        servers:
+          - url: "https://z590.interno.com:3000"
+
+    nucleo-z590-alt-svc:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.87.135:3000"
+
+  middlewares:
+    cors-permissive:
+      headers:
+        accessControlAllowOriginList:
+          - "*"
+        accessControlAllowMethods:
+          - "GET"
+          - "POST"
+          - "OPTIONS"
+        accessControlAllowHeaders:
+          - "Accept"
+          - "Authorization"
+          - "Cache-Control"
+          - "Content-Type"
+          - "DNT"
+          - "If-Modified-Since"
+          - "Keep-Alive"
+          - "Origin"
+          - "User-Agent"
+          - "X-Requested-With"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+```
+
+---
+
+### 3.8 Música Pública (musica.nucleoriofrio.com)
+
+**NPM Original**:
+- Multiple locations con diferentes propósitos
+- Caching de assets
+- Security headers
+- Streaming optimizations
+
+**Traefik Config** (`/config/musica-public.yml`):
+
+```yaml
+http:
+  routers:
+    musica-pub-nuxt:
+      rule: "Host(`musica.nucleoriofrio.com`) && PathPrefix(`/_nuxt/`)"
+      entryPoints:
+        - https
+      service: repodructor-svc
+      middlewares:
+        - asset-cache-long
+      tls:
+        certResolver: letsencrypt
+      priority: 30
+
+    musica-pub-music:
+      rule: "Host(`musica.nucleoriofrio.com`) && PathPrefix(`/music/`)"
+      entryPoints:
+        - https
+      service: repodructor-svc
+      middlewares:
+        - no-buffering
+        - music-streaming
+        - music-cache
+      tls:
+        certResolver: letsencrypt
+      priority: 25
+
+    musica-pub-api:
+      rule: "Host(`musica.nucleoriofrio.com`) && PathPrefix(`/api/`)"
+      entryPoints:
+        - https
+      service: repodructor-svc
+      middlewares:
+        - api-timeout
+      tls:
+        certResolver: letsencrypt
+      priority: 20
+
+    musica-pub-root:
+      rule: "Host(`musica.nucleoriofrio.com`)"
+      entryPoints:
+        - https
+      service: repodructor-svc
+      middlewares:
+        - hsts-headers
+        - security-headers
+      tls:
+        certResolver: letsencrypt
+      priority: 1
+
+  services:
+    repodructor-svc:
+      loadBalancer:
+        servers:
+          - url: "http://repodructor:3000"
+
+  middlewares:
+    asset-cache-long:
+      headers:
+        customResponseHeaders:
+          Cache-Control: "public, max-age=31536000, immutable"
+
+    music-cache:
+      headers:
+        customResponseHeaders:
+          Cache-Control: "public, max-age=3600"
+
+    music-streaming:
+      buffering:
+        maxRequestBodyBytes: 0  # Sin límite
+        memRequestBodyBytes: 0
+        maxResponseBodyBytes: 0
+        memResponseBodyBytes: 0
+
+    api-timeout:
+      buffering:
+        maxRequestBodyBytes: 10485760  # 10MB
+
+    security-headers:
+      headers:
+        customResponseHeaders:
+          X-Frame-Options: "SAMEORIGIN"
+          X-Content-Type-Options: "nosniff"
+          X-XSS-Protection: "1; mode=block"
+```
+
+---
+
+## 4. Middlewares Comunes
+
+### 4.1 Archivo de Middlewares Globales (`/config/middlewares.yml`)
+
+```yaml
+http:
+  middlewares:
+    # HSTS Headers
+    hsts-headers:
+      headers:
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+
+    # WebSocket Support
+    websocket-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        customResponseHeaders:
+          Upgrade: "$http_upgrade"
+          Connection: "$http_connection"
+
+    # Block Common Exploits
+    block-exploits:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        frameDeny: true
+        customFrameOptionsValue: "SAMEORIGIN"
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.0.0/16"
+          - "172.16.0.0/12"
+          - "10.0.0.0/8"
+
+    # Asset Caching
+    asset-cache:
+      headers:
+        customResponseHeaders:
+          Cache-Control: "public, max-age=86400"
+
+    # Security Headers Strict
+    security-strict:
+      headers:
+        sslRedirect: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+
+    # Rate Limiting
+    rate-limit:
+      rateLimit:
+        average: 100
+        burst: 200
+        period: 1m
+
+    # Basic Auth (ejemplo)
+    auth-basic:
+      basicAuth:
+        users:
+          - "admin:$apr1$..." # htpasswd hash
+        removeHeader: true
+
+    # IP Whitelist (ejemplo para admin panels)
+    admin-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.87.0/24"
+          - "172.19.0.0/16"
+
+    # Compress
+    compress:
+      compress: {}
+
+    # Strip Prefix (útil para algunos backends)
+    strip-api-prefix:
+      stripPrefix:
+        prefixes:
+          - "/api"
+        forceSlash: false
+
+    # Redirect Scheme (HTTP → HTTPS)
+    redirect-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    # Custom Headers for Backend
+    backend-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Scheme: "https"
+          X-Real-IP: ""  # Traefik lo rellena automáticamente
+          X-Forwarded-For: ""
+```
+
+---
+
+## 5. Certificados SSL
+
+### 5.1 Certificado Custom (*.interno.com)
+
+**Opción A: Usar el certificado autofirmado existente**
+
+```yaml
+# En /config/tls.yml
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certificates/interno.com/fullchain.pem
+        keyFile: /certificates/interno.com/privkey.pem
+
+  certificates:
+    - certFile: /certificates/interno.com/fullchain.pem
+      keyFile: /certificates/interno.com/privkey.pem
+      stores:
+        - default
+```
+
+Copiar certificados:
+```bash
+mkdir -p /srv/traefik/certificates/interno.com
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/fullchain.pem \
+   /srv/traefik/certificates/interno.com/
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/privkey.pem \
+   /srv/traefik/certificates/interno.com/
+```
+
+### 5.2 Let's Encrypt (*.nucleoriofrio.com)
+
+Ya configurado en `traefik.yml`:
+
+```yaml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@nucleoriofrio.com
+      storage: /acme.json
+      httpChallenge:
+        entryPoint: http
+```
+
+Para wildcard con DNS Challenge (Cloudflare):
+
+```yaml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@nucleoriofrio.com
+      storage: /acme.json
+      dnsChallenge:
+        provider: cloudflare
+        delayBeforeCheck: 10
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+```
+
+Variables de entorno necesarias:
+```bash
+CF_DNS_API_TOKEN=your_cloudflare_token
+CF_ZONE_API_TOKEN=your_zone_token
+```
+
+---
+
+## 6. Docker Compose Completo
+
+### 6.1 Stack Traefik Principal
+
+```yaml
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v3.1
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - principal
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"  # Dashboard (cambiar puerto si hay conflicto)
+    environment:
+      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
+      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN}
+      - TZ=America/Argentina/Buenos_Aires
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/traefik.yml:ro
+      - ./config/:/config/:ro
+      - ./acme.json:/acme.json
+      - ./certificates/:/certificates/:ro
+      - ./logs/:/logs/
+    labels:
+      - "traefik.enable=true"
+
+      # Dashboard
+      - "traefik.http.routers.dashboard.rule=Host(`traefik.interno.com`)"
+      - "traefik.http.routers.dashboard.entrypoints=https"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=custom"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.middlewares=admin-whitelist"
+
+networks:
+  principal:
+    external: true
+```
+
+### 6.2 Estructura de Directorios
+
+```
+/srv/traefik/
+├── traefik.yml                 # Config estática
+├── acme.json                   # Certificados LE (chmod 600)
+├── docker-compose.yml
+├── .env
+├── config/
+│   ├── middlewares.yml         # Middlewares globales
+│   ├── middlewares-authentik.yml
+│   ├── tls.yml                 # Certificados custom
+│   ├── planilla.yml            # Config dinámica planilla
+│   ├── musica.yml
+│   ├── snatchgame.yml
+│   ├── nucleoriofrio.yml
+│   └── musica-public.yml
+├── certificates/
+│   └── interno.com/
+│       ├── fullchain.pem
+│       └── privkey.pem
+└── logs/
+    ├── traefik.log
+    └── access.log
+```
+
+### 6.3 Preparación
+
+```bash
+# Crear estructura
+mkdir -p /srv/traefik/{config,certificates/interno.com,logs}
+
+# Crear acme.json
+touch /srv/traefik/acme.json
+chmod 600 /srv/traefik/acme.json
+
+# Copiar certificados
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/fullchain.pem \
+   /srv/traefik/certificates/interno.com/
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/privkey.pem \
+   /srv/traefik/certificates/interno.com/
+
+# Crear archivos de config
+touch /srv/traefik/traefik.yml
+touch /srv/traefik/config/{middlewares,tls,planilla,musica,snatchgame}.yml
+```
+
+---
+
+## 7. Scripts de Migración
+
+### 7.1 Script de Pre-Migración
+
+```bash
+#!/bin/bash
+# pre-migration.sh
+
+set -e
+
+echo "🔍 Pre-Migration Checklist para Traefik"
+
+# Backup de NPM
+echo "📦 Backing up NPM configs..."
+mkdir -p /srv/backups/npm-$(date +%Y%m%d)
+cp -r /srv/nginx-proxy-manager/data/nginx /srv/backups/npm-$(date +%Y%m%d)/
+cp -r /srv/nginx-proxy-manager/data/custom_ssl /srv/backups/npm-$(date +%Y%m%d)/
+
+# Verificar red principal
+echo "🌐 Verificando red principal..."
+docker network inspect principal > /dev/null 2>&1 || {
+    echo "❌ Red 'principal' no existe"
+    exit 1
+}
+
+# Verificar contenedores backend
+echo "🔍 Verificando backends..."
+backends=(
+    "portainer"
+    "gitea"
+    "geo-ids"
+    "planilla-ui"
+    "planilla-api"
+    "planilla-mcp"
+    "whatsapp-router"
+    "repodructor"
+    "amigos-app"
+    "duplicati"
+    "radiusnucleo-node-1"
+)
+
+for backend in "${backends[@]}"; do
+    docker ps --filter "name=$backend" --format "{{.Names}}" | grep -q "$backend" || {
+        echo "⚠️  Backend '$backend' no encontrado o detenido"
+    }
+done
+
+# Crear estructura Traefik
+echo "📁 Creando estructura de directorios..."
+mkdir -p /srv/traefik/{config,certificates/interno.com,logs}
+touch /srv/traefik/acme.json
+chmod 600 /srv/traefik/acme.json
+
+# Copiar certificados
+echo "🔐 Copiando certificados SSL..."
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/fullchain.pem \
+   /srv/traefik/certificates/interno.com/
+cp /srv/nginx-proxy-manager/data/custom_ssl/npm-1/privkey.pem \
+   /srv/traefik/certificates/interno.com/
+
+echo "✅ Pre-migration completa"
+echo ""
+echo "Próximos pasos:"
+echo "1. Crear archivos de configuración de Traefik"
+echo "2. Actualizar labels en docker-compose de cada stack"
+echo "3. Ejecutar migration.sh"
+```
+
+### 7.2 Script de Migración
+
+```bash
+#!/bin/bash
+# migration.sh
+
+set -e
+
+echo "🚀 Iniciando migración NPM → Traefik"
+
+# Detener NPM
+echo "🛑 Deteniendo NPM..."
+cd /srv/nginx-proxy-manager
+docker-compose down
+
+# Levantar Traefik
+echo "🚀 Levantando Traefik..."
+cd /srv/traefik
+docker-compose up -d
+
+# Esperar a que Traefik esté listo
+echo "⏳ Esperando a que Traefik esté listo..."
+sleep 10
+
+# Verificar Traefik
+echo "✅ Verificando Traefik..."
+docker logs traefik --tail 50
+
+# Verificar dashboard
+echo "🌐 Dashboard disponible en: https://traefik.interno.com"
+
+# Restart de cada stack para aplicar labels
+echo "🔄 Reiniciando stacks con nuevas labels..."
+stacks=(
+    "/srv/gitea"
+    "/srv/planilla"
+    "/srv/conversation-layer"
+    # ... más stacks
+)
+
+for stack in "${stacks[@]}"; do
+    if [ -d "$stack" ]; then
+        echo "   Reiniciando $stack..."
+        cd "$stack"
+        docker-compose up -d --force-recreate
+    fi
+done
+
+echo "✅ Migración completa!"
+echo ""
+echo "Verificar:"
+echo "1. Dashboard Traefik: https://traefik.interno.com"
+echo "2. Logs: docker logs traefik -f"
+echo "3. Probar cada dominio manualmente"
+```
+
+### 7.3 Script de Rollback
+
+```bash
+#!/bin/bash
+# rollback.sh
+
+set -e
+
+echo "⏪ Rollback a NPM"
+
+# Detener Traefik
+echo "🛑 Deteniendo Traefik..."
+cd /srv/traefik
+docker-compose down
+
+# Levantar NPM
+echo "🚀 Levantando NPM..."
+cd /srv/nginx-proxy-manager
+docker-compose up -d
+
+echo "✅ Rollback completo"
+echo "NPM disponible en: http://Nginx.interno.com:81"
+```
+
+### 7.4 Script de Verificación
+
+```bash
+#!/bin/bash
+# verify-migration.sh
+
+domains=(
+    "portainer.interno.com"
+    "gitea.interno.com"
+    "geoids.interno.com"
+    "planilla.interno.com"
+    "musica.interno.com"
+    "nucleoriofrio.com"
+    "snatchgame.interno.com"
+    "amigos.nucleoriofrio.com"
+)
+
+echo "🔍 Verificando dominios..."
+
+for domain in "${domains[@]}"; do
+    echo -n "Testing $domain... "
+    if curl -skI "https://$domain" | head -1 | grep -q "200\|301\|302"; then
+        echo "✅ OK"
+    else
+        echo "❌ FAIL"
+    fi
+done
+
+echo ""
+echo "Verificar manualmente:"
+echo "1. Autenticación Authentik en geoids.interno.com"
+echo "2. WebSocket en musica.interno.com"
+echo "3. Multi-location en planilla.interno.com"
+echo "4. API streaming en nucleoriofrio.com/api/chat/stream"
+```
+
+---
+
+## 8. Tabla de Mapeo Completa
+
+### NPM → Traefik Equivalencias
+
+| Característica NPM | Equivalente Traefik |
+|-------------------|---------------------|
+| `proxy_pass` | `service.loadBalancer.server.url` |
+| `server_name` | `router.rule=Host(...)` |
+| `location /path` | `router.rule=PathPrefix(...)` + `priority` |
+| `proxy_set_header` | `middleware.headers.customRequestHeaders` |
+| `add_header` | `middleware.headers.customResponseHeaders` |
+| `auth_request` | `middleware.forwardAuth` |
+| `ssl_certificate` | `tls.certificates` o `tls.certResolver` |
+| `include force-ssl.conf` | `entrypoint.http.redirections` |
+| `proxy_buffering off` | `middleware.buffering` |
+| `client_max_body_size` | `middleware.buffering.maxRequestBodyBytes` |
+| `proxy_read_timeout` | `service.loadBalancer.responseForwarding.timeout` |
+| `upstream` con múltiples IPs | `service.loadBalancer.servers` (array) |
+| `map` para variables | Middlewares condicionales o dynamic config |
+| `if` statements | No soportado directamente, usar priorities |
+| `limit_req` | `middleware.rateLimit` |
+| `access_log` | `accessLog` en traefik.yml |
+| `error_log` | `log` en traefik.yml |
+
+---
+
+## 9. Checklist de Migración
+
+### Antes de Migrar
+
+- [ ] Backup completo de NPM configs
+- [ ] Backup de base de datos de NPM
+- [ ] Copiar certificados SSL
+- [ ] Verificar que todos los backends están en red `principal`
+- [ ] Documentar configuraciones custom
+
+### Durante la Migración
+
+- [ ] Crear estructura de directorios de Traefik
+- [ ] Configurar `traefik.yml`
+- [ ] Crear middlewares comunes
+- [ ] Crear configs dinámicas por servicio
+- [ ] Actualizar docker-compose de cada stack con labels
+- [ ] Detener NPM
+- [ ] Levantar Traefik
+- [ ] Verificar dashboard de Traefik
+
+### Después de Migrar
+
+- [ ] Probar cada dominio manualmente
+- [ ] Verificar certificados SSL
+- [ ] Verificar autenticación Authentik
+- [ ] Verificar WebSockets
+- [ ] Verificar multi-location routing
+- [ ] Verificar streaming endpoints
+- [ ] Monitorear logs de Traefik
+- [ ] Configurar alertas (opcional)
+- [ ] Actualizar documentación
+
+### En Caso de Problemas
+
+- [ ] Rollback a NPM
+- [ ] Revisar logs de Traefik
+- [ ] Verificar conectividad de red
+- [ ] Verificar resolución DNS interna
+- [ ] Verificar permisos de certificados
+
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
old mode 100755
new mode 100644