From db968ba5ca4decab33f462d6dcf8ea2f93364b23 Mon Sep 17 00:00:00 2001
From: aki <aki@mailserver.opossum-arcturus.ts.net>
Date: Sat, 26 Apr 2025 12:27:09 +0800
Subject: [PATCH] fix(traefik): Update middleware configuration for HTTPS and
 routing rules

---
 docker-compose.yml | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index fd4bf88..3931f08 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,7 +16,6 @@ services:
       - --providers.docker.network=docker-compose-nas
       - --providers.docker.endpoint=unix:///var/run/docker.sock
       - --log.level=DEBUG
-      - --entrypoints.web.http.middlewares=set-x-forwarded-proto@docker
     network_mode: service:tailscale
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -25,7 +24,12 @@ services:
       interval: 30s
       retries: 10
     labels:
-      - traefik.http.middlewares.set-x-forwarded-proto.headers.customRequestHeaders.X-Forwarded-Proto=https
+      - traefik.enable=true
+      # Global middleware to set X-Forwarded-Proto header
+      - traefik.http.middlewares.https-proto.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.catchall.rule=PathPrefix(`/`)
+      - traefik.http.routers.catchall.middlewares=https-proto@docker
+      - traefik.http.routers.catchall.entrypoints=web
   redis:
     image: redis:alpine
     container_name: redis
@@ -60,6 +64,7 @@ services:
       # - traefik.http.routers.authelia.priority=100 # Removed priority
       - traefik.http.services.authelia.loadbalancer.server.port=9091
       - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify # Simplified forwardAuth address
+      - traefik.http.routers.authelia.middlewares=https-proto@docker
       - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
       - homepage.group=Security
@@ -86,7 +91,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.sonarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sonarr`) # Added Host check
       - traefik.http.routers.sonarr.entrypoints=web
-      - traefik.http.routers.sonarr.middlewares=authelia-auth@docker
+      - traefik.http.routers.sonarr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.sonarr.loadbalancer.server.port=8989
       - homepage.group=Media
       - homepage.name=Sonarr
@@ -116,7 +121,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.radarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/radarr`) # Added Host check
       - traefik.http.routers.radarr.entrypoints=web
-      - traefik.http.routers.radarr.middlewares=authelia-auth@docker
+      - traefik.http.routers.radarr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.radarr.loadbalancer.server.port=7878
       - homepage.group=Media
       - homepage.name=Radarr
@@ -146,7 +151,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.lidarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/lidarr`) # Added Host check
       - traefik.http.routers.lidarr.entrypoints=web
-      - traefik.http.routers.lidarr.middlewares=authelia-auth@docker
+      - traefik.http.routers.lidarr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.lidarr.loadbalancer.server.port=8686
       - homepage.group=Media
       - homepage.name=Lidarr
@@ -178,7 +183,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.bazarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/bazarr`) # Added Host check
       - traefik.http.routers.bazarr.entrypoints=web
-      - traefik.http.routers.bazarr.middlewares=authelia-auth@docker
+      - traefik.http.routers.bazarr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.bazarr.loadbalancer.server.port=6767
       - homepage.group=Download
       - homepage.name=Bazarr
@@ -214,7 +219,7 @@ services:
       - traefik.http.routers.jellyseerr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyseerr`) # Added Host check
       - traefik.http.routers.jellyseerr.entrypoints=web
       - traefik.http.services.jellyseerr.loadbalancer.server.port=5055
-      - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
+      - traefik.http.routers.jellyseerr.middlewares=https-proto@docker,jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
       - traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].header=location
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].regex=^/(.+)$
@@ -287,7 +292,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.prowlarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/prowlarr`) # Added Host check
       - traefik.http.routers.prowlarr.entrypoints=web
-      - traefik.http.routers.prowlarr.middlewares=authelia-auth@docker
+      - traefik.http.routers.prowlarr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.prowlarr.loadbalancer.server.port=9696
       - homepage.group=Download
       - homepage.name=Prowlarr
@@ -311,7 +316,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.flaresolverr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/flaresolverr`) # Added Host check
       - traefik.http.routers.flaresolverr.entrypoints=web
-      - traefik.http.routers.flaresolverr.middlewares=authelia-auth@docker
+      - traefik.http.routers.flaresolverr.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.flaresolverr.loadbalancer.server.port=8191
     profiles:
       - flaresolverr
@@ -338,7 +343,7 @@ services:
       - traefik.http.routers.qbittorrent.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/qbittorrent`) # Added Host check
       - traefik.http.routers.qbittorrent.entrypoints=web
       - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
-      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
+      - traefik.http.routers.qbittorrent.middlewares=https-proto@docker,qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
       - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
@@ -383,7 +388,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.sabnzbd.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sabnzbd`) # Added Host check
       - traefik.http.routers.sabnzbd.entrypoints=web
-      - traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
+      - traefik.http.routers.sabnzbd.middlewares=https-proto@docker,authelia-auth@docker
       - traefik.http.services.sabnzbd.loadbalancer.server.port=8080
       - homepage.group=Download
       - homepage.name=Sabnzbd
@@ -419,7 +424,7 @@ services:
       - traefik.enable=true
       - traefik.http.routers.jellyfin.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyfin`) # Added Host check
       - traefik.http.routers.jellyfin.entrypoints=web
-      - traefik.http.routers.jellyfin.middlewares= # Ensure this remains empty for no auth
+      - traefik.http.routers.jellyfin.middlewares=https-proto@docker # Only HTTPS, no auth
       - traefik.http.services.jellyfin.loadbalancer.server.port=8096
       - homepage.group=Media
       - homepage.name=Jellyfin
@@ -448,7 +453,7 @@ services:
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Scheme=https
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
       - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
-      - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,authelia-auth@docker
+      - traefik.http.routers.calibre.middlewares=https-proto@docker,calibre-headers,calibre-stripprefixregex,authelia-auth@docker
       - traefik.http.routers.calibre.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/calibre`) # Added Host check
       - traefik.http.routers.calibre.entrypoints=web
       - traefik.http.services.calibre.loadbalancer.server.port=8083
@@ -526,7 +531,7 @@ services:
       - traefik.http.routers.homepage.entrypoints=web
       # - traefik.http.routers.homepage.priority=10 # Removed priority
       # - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home # Removed stripPrefix middleware definition
-      - traefik.http.routers.homepage.middlewares=authelia-auth@docker # Removed stripPrefix middleware usage
+      - traefik.http.routers.homepage.middlewares=https-proto@docker,authelia-auth@docker
       - homepage.group=Dashboard
       - homepage.name=Homepage
       - homepage.icon=homepage.png