nextcloud/deploy/infra/middlewares.yaml

# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: webdav-strip-auth
spec:
  headers:
    customRequestHeaders:
      Authorization: ""

---
# Rate limit to protect from brute force / bots
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
spec:
  rateLimit:
    average: 50
    burst: 100

---
# Optional: security headers for UI
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-security-headers
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    browserXssFilter: true
    contentTypeNosniff: true
    frameDeny: true
    referrerPolicy: "no-referrer"
    customResponseHeaders:
      X-Content-Type-Options: "nosniff"
      X-Frame-Options: "DENY"
      X-XSS-Protection: "1; mode=block"

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik-forward-auth
spec:
  forwardAuth:
    address: "http://ak-outpost-authentik-embedded-outpost.id-limbosolutions-com.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
    trustForwardHeader: true

    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-entitlements
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
---