tls:
  options:
    docs:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_256_GCM_SHA384
        - TLS_AES_128_GCM_SHA256
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_FALLBACK_SCSV
    dashboard:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_256_GCM_SHA384
        - TLS_AES_128_GCM_SHA256
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_FALLBACK_SCSV
      clientAuth:
        caFiles:
          - /etc/traefik/com.rskio.ca.crt
        clientAuthType: RequireAndVerifyClientCert

http:
  routers:
    traefik-dashboard:
      rule: "Host(`oxy.rskio.com`)"
      service: "api@internal"
      entryPoints:
        - "websecure"
      middlewares:
        - "redirect-dashboard"
      tls:
        options: dashboard@file
        certResolver: rskio_certresolver
  middlewares:
    redirect-dashboard:
      redirectRegex:
        regex: "^https?://([^/]+)/?$"
        replacement: "https://${1}/dashboard/"
        permanent: true
    secureHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
        referrerPolicy: "same-origin"
        sslRedirect: true
        stsSeconds: 31536000