diff --git a/05backends.cfg b/05backends.cfg index f276dc4..ae9c82a 100644 --- a/05backends.cfg +++ b/05backends.cfg @@ -1,3 +1,31 @@ +resolvers incus + nameserver incus 10.10.10.1:53 + + # Maximum size of a DNS answer allowed, in bytes + accepted_payload_size 512 + + # Whether to add nameservers found in /etc/resolv.conf + parse-resolv-conf + + # How long to "hold" a backend server's up/down status depending on the name resolution status. + # For example, if an NXDOMAIN response is returned, keep the backend server in its current state (up) for + # at least another 30 seconds before marking it as down due to DNS not having a record for it. + hold valid 10s + hold other 30s + hold refused 30s + hold nx 30s + hold timeout 30s + hold obsolete 30s + + # How many times to retry a query + resolve_retries 3 + + # How long to wait between retries when no valid response has been received + timeout retry 1s + + # How long to wait for a successful resolution + timeout resolve 1s + # Backends backend default tcp-request content reject @@ -14,7 +42,7 @@ backend laminar http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "cross-origin" http-response set-header Cache-Control max-age=31536000 - server laminar laminar.incus:8080 check + server laminar laminar.incus:8080 check resolvers incus init-addr last,libc,none backend forgejo # set HSTS for one year after all responses @@ -24,7 +52,7 @@ backend forgejo http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server forgejo forgejo.incus:3000 check + server forgejo forgejo.incus:3000 check resolvers incus init-addr last,libc,none backend mastodon # set HSTS for one year after all responses @@ -34,7 +62,7 @@ backend mastodon http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server mastodon mastodon2.incus:80 send-proxy check + server mastodon mastodon2.incus:80 send-proxy check resolvers incus init-addr last,libc,none backend linkding # set HSTS for one year after all responses @@ -44,7 +72,7 @@ backend linkding http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server linkding linkding.incus:9090 check + server linkding linkding.incus:9090 check resolvers incus init-addr last,libc,none backend archive # set HSTS for one year after all responses @@ -55,7 +83,7 @@ backend archive http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" http-response set-header Cache-Control max-age=31536000 - server archive archive.incus:80 check + server archive archive.incus:80 check resolvers incus init-addr last,libc,none backend adguard # set HSTS for one year after all responses @@ -65,7 +93,7 @@ backend adguard http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server adguard adguard.incus:443 check ssl verify none + server adguard adguard.incus:443 check ssl verify none resolvers incus init-addr last,libc,none backend vaultwarden # set HSTS for one year after all responses @@ -75,7 +103,7 @@ backend vaultwarden http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server vaultwarden vaultwarden.incus:80 check + server vaultwarden vaultwarden.incus:80 check resolvers incus init-addr last,libc,none backend kanboard # set HSTS for one year after all responses @@ -85,7 +113,7 @@ backend kanboard http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server kanboard kanboard.incus:80 check + server kanboard kanboard.incus:80 check resolvers incus init-addr last,libc,none backend photoprism # set HSTS for one year after all responses @@ -95,7 +123,7 @@ backend photoprism http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server photoprism photoprism.incus:2342 check + server photoprism photoprism.incus:2342 check resolvers incus init-addr last,libc,none backend miniflux # set HSTS for one year after all responses @@ -105,7 +133,7 @@ backend miniflux http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server miniflux miniflux.incus:8080 check + server miniflux miniflux.incus:8080 check resolvers incus init-addr last,libc,none backend www # set HSTS for one year after all responses @@ -116,7 +144,7 @@ backend www http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" http-response set-header Cache-Control max-age=31536000 - server www www.incus:80 check + server www www.incus:80 check resolvers incus init-addr last,libc,none backend navidrome # set HSTS for one year after all responses @@ -126,7 +154,7 @@ backend navidrome http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server navidrome navidrome.incus:4533 check + server navidrome navidrome.incus:4533 check resolvers incus init-addr last,libc,none backend mailcow # set HSTS for one year after all responses @@ -136,7 +164,7 @@ backend mailcow http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server mailcow mailcow.incus:80 check + server mailcow mailcow.incus:80 check resolvers incus init-addr last,libc,none backend beszel # set HSTS for one year after all responses @@ -146,7 +174,7 @@ backend beszel http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" - server beszel beszel.incus:8090 check + server beszel beszel.incus:8090 check resolvers incus init-addr last,libc,none backend uptime-kuma # set HSTS for one year after all responses @@ -156,24 +184,24 @@ backend uptime-kuma http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "cross-origin" - server uptime-kuma mxmon:3001 check + server uptime-kuma mxmon:3001 check resolvers incus init-addr last,libc,none backend nefarious # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - server nefarious nefarious.incus:8000 check + server nefarious nefarious.incus:8000 check resolvers incus init-addr last,libc,none backend nefarious-jackett # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - server nefarious-jackett nefarious.incus:9117 check + server nefarious-jackett nefarious.incus:9117 check resolvers incus init-addr last,libc,none backend nefarious-transmission # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - server nefarious-transmission nefarious.incus:9091 check + server nefarious-transmission nefarious.incus:9091 check resolvers incus init-addr last,libc,none backend jellyfin # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - server jellyfin 10.10.10.97:8096 check + server jellyfin jellyfin.incus:8096 check resolvers incus init-addr last,libc,none