# traefik.yaml
providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/

entryPoints:
  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: "admin@example.ch"
      storage: "/letsencrypt/acme.json"
      tlsChallenge: true
      # caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      curvePreferences:
        - secp521r1
        - secp384r1

    mintls13:
      minVersion: VersionTLS13

http:
  middlewares:
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 63072000