log:
  level: DEBUG

accessLog:
  filePath: /logs/access.log
  format: json

api:
  dashboard: true
  insecure: false

ping: {}

providers:
  docker:
    endpoint: "tcp://docker-socket-proxy:2375"
    exposedByDefault: false

  file:
    filename: /etc/traefik/dynamic.yml
    watch: true

entryPoints:
  web:
    address: ":80"
    forwardedHeaders:
      # Trust forwarding headers only from upstream proxies/LBs under our control.
      # Network assumptions for this stack:
      # - 127.0.0.1/32: local host-side reverse-proxy hops
      # - 192.168.2.0/24: LAN edge proxies
      # - 172.21.0.0/16: pinned Docker subnet for the traefik bridge network
      insecure: false
      trustedIPs:
        - "127.0.0.1/32"
        - "192.168.2.0/24"
        - "172.21.0.0/16"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    forwardedHeaders:
      insecure: false
      trustedIPs:
        - "127.0.0.1/32"
        - "192.168.2.0/24"
        - "172.21.0.0/16"
    http:
      middlewares:
        - default-chain@file
#    observability:
#      tracing:
#        enabled: true
#  metrics:
#    address: ":9100"

certificatesResolvers:
  myresolver:
    acme:
      email: wayne.bennett@live.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

experimental:
  plugins:
    crowdsec-bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.4.2
metrics:
  prometheus:
#    entryPoint: metrics:9100          # optional, default is "metrics"
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0
    addEntryPointsLabels: true   # add labels for each entrypoint
    addServicesLabels: true      # add labels for each service
#tracing:
#  serviceName: traefik
#  sampleRate: 1.0

#  otlp:
#    grpc:
#      endpoint: tempo:4317
#      insecure: true
#    enabled: true
#    http:
#      enabled: true
#      endpoint: http://tempo:4318/v1/traces