# 2025-02-25

http:
  routers:
    panel:
      entryPoints:
        - https
      rule: Host(`panel.domain.com`)
      middlewares:
          - corsall@file
          - standard@file
      tls:
        certResolver: letsencrypt
      service: panel@file

    node:
      entryPoints:
        - https
      rule: Host(`node.domain.com`)
      middlewares:
          - corsall@file
          - standard@file
      tls:
        certResolver: letsencrypt
      service: node@file

  services:
    panel:
      loadBalancer:
        servers:
          - url: "http://[REDACTED: VM_IP]:[REDACTED: VM_PORT_PANEL]"
    node:
      loadBalancer:
        servers:
          - url: "http://[REDACTED: VM_IP]:[REDACTER: VM_PORT_WINGS_HTTP]"

  middlewares:
    
    corsall:
      headers:
        customRequestHeaders:
          Access-Control-Allow-Origin: origin-list-or-null
          Sec-Fetch-Site: cross-site
          X-Forwarded-Proto: https
          Access-Control-Allow-Headers: "*, Authorization"
        customResponseHeaders:
          Access-Control-Allow-Origin: "*"
          Sec-Fetch-Site: cross-site
          X-Forwarded-Proto: https
          Access-Control-Allow-Headers: "*, Authorization"
        accessControlAllowMethods:
          - OPTIONS
          - POST
          - GET
          - PUT
          - DELETE
          - PATCH
        accessControlAllowHeaders:
          - "*, Authorization"
        accessControlExposeHeaders:
          - "*, Authorization"
        accessControlMaxAge: 100
        addVaryHeader: true
        accessControlAllowCredentials: true
        accessControlAllowOriginList:
          - "*"

    autodetect:
      ContentType: {}

    compress:
      compress:
        minResponseBodyBytes: 64
        excludedContentTypes:
          - text/event-stream
          - image/gif
          - image/jpeg
          - image/pjpeg
          - image/png
          - image/svg+xml
          - image/webp
          - image/vnd.microsoft.icon
          - image/vnd.djvu
          - image/svg+xml
          - audio/wave
          - audio/wav
          - audio/x-wav
          - audio/x-pn-wav
          - audio/webm
          - audio/ogg
          - audio/mpeg
          - audio/x-ms-wma
          - audio/vnd.rn-realaudio
          - audio/x-wav
          - video/webm
          - video/ogg
          - video/mpeg
          - video/mp4
          - video/quicktime
          - video/x-ms-wmv
          - video/x-msvideo
          - video/x-flv
          - video/web
          - application/ogg
          - application/octet-stream
          - application/pdf
          - application/x-shockwave-flash
          - application/zip
          - application/json
          - media

    httpsredirect:
      redirectScheme:
        scheme: https

    ratelimit:
      rateLimit:
        average: 128
        burst: 256

    defaults:
      headers:
        frameDeny: false
        customFrameOptionsValue: SAMEORIGIN
        browserXssFilter: false
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customRequestheaders:
          Alt-Svc: "h3=':443'; ma=86400"
        customResponseHeaders:
          Alt-Svc: "h3=':443'; ma=86400"

    csp:
      headers:
        contentsecuritypolicy: "\
          connect-src     'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          script-src             'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          style-src       'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          img-src         'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          font-src        'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          frame-src       'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          child-src       'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          media-src       'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          object-src      'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          default-src     'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
          frame-ancestors 'self'                                               blob: data: wss: ws: *.domain.com https: http:;\
          "

    security:
      headers:
        customRequestheaders:
          X-Content-Type-Options: ""
          X-Forwarded-Proto: https
        customResponseHeaders:
          Permissions-Policy: "fullscreen=(*), display-capture=(self), accelerometer=(), battery=(), camera=(), autoplay=(self), vibrate=(self), geolocation=(self), midi=(self), notifications=(*), push=(*), microphone=(self), magnetometer=(self), gyroscope=(self), payment=(self)"
          X-Forwarded-Proto: https
          X-Permitted-Cross-Domain-Policies: "none"
          X-Content-Type-Options: ""
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: strict-origin-when-cross-origin

    manageheaders:
      headers:
        customResponseHeaders:
          Server: ""
          X-Powered-By: ""
          Pragma: ""
          X-Cacheable: ""
          X-Cache: ""
          X-Cache-Hits: ""

    common:
      chain:
        middlewares:
          - httpsredirect@file
          - ratelimit@file
          - defaults@file
          - csp@file
          - security@file
          - manageheaders@file
          - autodetect@file

    standard:
      chain:
        middlewares:
          - compress@file
          - common@file