seize-infra-doc/configs/traefik/dynamic.yml.template
Hedi Kalboussi 1e90a85359 Documentation initiale infra Seize — passation J7
- 6 docs racine (README, HANDOVER, ARCHITECTURE, DECISIONS, INSTALL, OPERATIONS)
- 9 docs thématiques dans docs/
- 10 templates docker-compose dans configs/
- 7 scripts Python/Shell d'import Furious vers Zitadel
- 2 matrices RBAC

Etat infra au 5 juin 2026 :
- 88 users Furious importes dans Zitadel
- 8 roles RBAC crees et attribues
- Intranet filtre les cartes selon role (Approche A)
- 7 outils SSO operationnels
2026-06-05 17:49:43 +00:00

55 lines
1.8 KiB
Plaintext

# ============================================================================
# dynamic.yml — Configuration dynamique Traefik
# ============================================================================
# Middlewares partagés, notamment ForwardAuth pour le SSO.
http:
middlewares:
# ⭐ Middleware ForwardAuth pour l'authentification SSO via OAuth2-Proxy
# ⚠️ La ligne "- Cookie" dans authRequestHeaders est CRITIQUE
oauth2-headers:
forwardAuth:
address: "http://oauth2-proxy:4180/oauth2/auth"
trustForwardHeader: true
authRequestHeaders:
- Cookie # ← INDISPENSABLE (sans, le SSO casse)
- Authorization
- X-Forwarded-Host
- X-Forwarded-Proto
- X-Forwarded-Uri
authResponseHeaders:
- X-Auth-Request-User
- X-Auth-Request-Email
- X-Auth-Request-Preferred-Username
- X-Auth-Request-Groups
- X-Auth-Request-Access-Token
- X-Forwarded-User
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-Groups
- Authorization
# Middleware "secure headers" - bonne pratique sécurité
secure-headers:
headers:
accessControlAllowMethods:
- GET
- POST
- OPTIONS
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
sslHost: ""
sslForceHost: true
sslProxyHeaders:
X-Forwarded-Proto: https
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "strict-origin-when-cross-origin"