# ============================================================================ # dynamic.yml — Configuration dynamique Traefik # ============================================================================ # Middlewares partagés, notamment ForwardAuth pour le SSO. http: middlewares: # ⭐ Middleware ForwardAuth pour l'authentification SSO via OAuth2-Proxy # ⚠️ La ligne "- Cookie" dans authRequestHeaders est CRITIQUE oauth2-headers: forwardAuth: address: "http://oauth2-proxy:4180/oauth2/auth" trustForwardHeader: true authRequestHeaders: - Cookie # ← INDISPENSABLE (sans, le SSO casse) - Authorization - X-Forwarded-Host - X-Forwarded-Proto - X-Forwarded-Uri authResponseHeaders: - X-Auth-Request-User - X-Auth-Request-Email - X-Auth-Request-Preferred-Username - X-Auth-Request-Groups - X-Auth-Request-Access-Token - X-Forwarded-User - X-Forwarded-Email - X-Forwarded-Preferred-Username - X-Forwarded-Groups - Authorization # Middleware "secure headers" - bonne pratique sécurité secure-headers: headers: accessControlAllowMethods: - GET - POST - OPTIONS accessControlMaxAge: 100 hostsProxyHeaders: - "X-Forwarded-Host" sslRedirect: true sslHost: "" sslForceHost: true sslProxyHeaders: X-Forwarded-Proto: https stsSeconds: 63072000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true frameDeny: true contentTypeNosniff: true browserXssFilter: true referrerPolicy: "strict-origin-when-cross-origin"