apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: homea2-mtls
spec:
  clientAuth:
    secretNames:
      - mtls-ca-cert
    clientAuthType: RequireAndVerifyClientCert
  minVersion: "VersionTLS12"
  cipherSuites:
    - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    - "TLS_RSA_WITH_AES_256_GCM_SHA384"
    - "TLS_RSA_WITH_AES_128_GCM_SHA256"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: mtls-auth
spec:
  headers:
    customRequestHeaders:
      X-Client-Cert: ""
    customResponseHeaders:
      X-mTLS-Verified: "true"
  # Optional: Add IP whitelist for additional security
  # ipWhiteList:
  #   sourceRange:
  #     - "10.0.0.0/8"
  #     - "192.168.0.0/16"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: security-headers
spec:
  headers:
    customResponseHeaders:
      X-Frame-Options: "SAMEORIGIN"
      X-Content-Type-Options: "nosniff"
      X-XSS-Protection: "1; mode=block"
      Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
    contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"