From 4ce87860565cd00d19f95d9b2590fa5f5a4a905b Mon Sep 17 00:00:00 2001
From: Ognir <tortosaantonio@gmail.com>
Date: Mon, 5 Jan 2026 22:33:13 +0100
Subject: [PATCH] =?UTF-8?q?feat(security):=20a=C3=B1adir=20whitelist=20ind?=
 =?UTF-8?q?ependiente=20y=20estructurar=20middlewares?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Incluye access-control.yml, auth.yml y security-headers.yml
- Añadida whitelist.yml (configuración independiente)
---
 traefik/dynamic/access-control.yml   | 12 ++++++++++++
 traefik/dynamic/auth.yml             |  9 +++++++++
 traefik/dynamic/security-headers.yml | 15 +++++++++++++++
 whitelist.yml                        | 12 ++++++++++++
 4 files changed, 48 insertions(+)
 create mode 100755 traefik/dynamic/access-control.yml
 create mode 100755 traefik/dynamic/auth.yml
 create mode 100755 traefik/dynamic/security-headers.yml
 create mode 100755 whitelist.yml

diff --git a/traefik/dynamic/access-control.yml b/traefik/dynamic/access-control.yml
new file mode 100755
index 0000000..d9ac956
--- /dev/null
+++ b/traefik/dynamic/access-control.yml
@@ -0,0 +1,12 @@
+# ==============================================================================
+# CONTROL DE ACCESO PERIMETRAL (WHITELIST)
+# ==============================================================================
+http:
+  middlewares:
+    whitelist-interna:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.178.0/24"
+          - "100.64.0.0/10"
+          - "172.20.0.0/16"
diff --git a/traefik/dynamic/auth.yml b/traefik/dynamic/auth.yml
new file mode 100755
index 0000000..28d22ec
--- /dev/null
+++ b/traefik/dynamic/auth.yml
@@ -0,0 +1,9 @@
+# ==============================================================================
+# AUTENTICACIÓN PARA DASHBOARD Y SERVICIOS CRÍTICOS
+# ==============================================================================
+http:
+  middlewares:
+    auth-dashboard:
+      basicAuth:
+        users:
+          - "Ognir:$apr1$0.TPOwbF$mHoZOQE2xcdWDBN4VhcBe/"
diff --git a/traefik/dynamic/security-headers.yml b/traefik/dynamic/security-headers.yml
new file mode 100755
index 0000000..34b7850
--- /dev/null
+++ b/traefik/dynamic/security-headers.yml
@@ -0,0 +1,15 @@
+# ################################################################# #
+# MIDDLEWARE: SECURITY-HEADERS                                      #
+# ################################################################# #
+http:
+  middlewares:
+    security-headers:
+      headers:
+        forceSTSHeader: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        frameDeny: true
+        referrerPolicy: "same-origin"
diff --git a/whitelist.yml b/whitelist.yml
new file mode 100755
index 0000000..a79ff56
--- /dev/null
+++ b/whitelist.yml
@@ -0,0 +1,12 @@
+# ################################################################# #
+# MIDDLEWARE DE WHITELIST - ACCESO RESTRINGIDO OGNIRNAS             #
+# ################################################################# #
+http:
+  middlewares:
+    muro-seguro:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"        # Localhost (interno)
+          - "192.168.178.0/24"    # Tu red local de casa
+          - "100.64.0.0/10"       # Todo el rango de Tailscale
+          - "172.16.0.0/12"       # Redes internas de Docker