traefik/security-rules.yml

http:
  middlewares:
    # 1. Geoblocking Rule (Allow US only)
    geoblock-policy:
      plugin:
        geoblock:
          allowLocalRequests: true
          logLocalRequests: false
          countries:
            - US

    # 2. CrowdSec Firewall Rule
    crowdsec-policy:
      plugin:
        crowdsec:
          enabled: true
          crowdsecLapiHost: "crowdsec:8080"
          crowdsecLapiKey: "51PtgkJTvGtwSY+jyRbl6Ai33+JEzAmsJrgrkaG2loU"
          crowdsecMode: stream

    # 3. Secure HTTP Headers
    secure-headers:
      headers:
        sslRedirect: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        frameDeny: true
        contentTypeNosniff: true
        browserXssFilter: true