http:
  middlewares:
    block-ip-access:
      headers:
        customRequestHeaders:
          Host: ""  # This will catch requests with no Host header or invalid ones
    cloudflarewarp:
      plugin:
        cloudflare:
          trustedCIDRs: []
          overwriteRequestHeader: true
          debug: true
    crowdsec:
      plugin:
        bouncer:
          enabled: true
          crowdsecMode: stream
          crowdsecLapiHost: "localhost:8080"
          crowdsecLapiKey: gFJjSzdbB0GCe/1Y9HcxMPP1vQmoa4psZOFyleJZJVQ
    compress-middleware:
      compress:
        encodings:
          - zstd
          - br
          - gzip
        defaultEncoding: zstd
        includedContentTypes:
          - text/html
          - text/css
          - application/javascript
          - application/json
          - text/plain
    http-cache:
      plugin:
        souin:
          default_cache:
            ttl: 10s
            default_cache_control: public, max-age=600
            redis:
              url: 172.20.0.100://redis:6379
            allowed_http_verbs:
              - GET
              - HEAD
              - POST
          log_level: debug
          api:
            souin: {}
            prometheus: {}
  routers:
    block-direct-access:
      rule: "HostRegexp(`{host:.+}`)"  # Matches any host
      service: noop@internal
      priority: 1  # Low priority to catch unmatched requests
      entryPoints:
        - web
        - websecure
      middlewares:
        - block-ip-access
    netdata:
      rule: Host(`netdata.gbanyan.net`)
      service: netdata
      entryPoints: ["internal_websecure"]
      tls:
        certResolver: letsencrypt

  services:
    netdata:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:19999"