fix: ensure large uploads work

#95
Reviewed-on: #96
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>
Co-authored-by: decentral1se <cellarspoon@riseup.net>
Co-committed-by: decentral1se <cellarspoon@riseup.net>

.env.sample

@@ -122,8 +122,10 @@ COMPOSE_FILE="compose.yml"
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+## BASIC_AUTH should also be enabled
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
+#METRICS_FQDN=metrics.traefik.example.com
 
 #####################################################################
 # File provider directory configuration                             #

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v29
-export FILE_PROVIDER_YML_VERSION=v11
+export TRAEFIK_YML_VERSION=v30a
+export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5

compose.metrics.yml

@@ -3,7 +3,3 @@ services:
   app:
     environment:
       - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.10"
+    image: "traefik:v3.6.11"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -55,12 +55,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=4.0.0+v3.6.10"
+        - "coop-cloud.${STACK_NAME}.version=5.1.0+v3.6.11"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
+    image: lscr.io/linuxserver/socket-proxy:3.2.14
     deploy:
       endpoint_mode: dnsrr
     environment:

file-provider.yml.tmpl

@@ -30,6 +30,18 @@ http:
         stsIncludeSubdomains: true
         stsPreload: true
         stsSeconds: "31536000"
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  routers:
+    traefik-metrics:
+      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
+      entrypoints:
+        - web-secure
+      tls:
+        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
+      middlewares:
+        - basicauth@file
+      service: prometheus@internal
+  {{ end }}
 
 tls:
   options:

release/5.0.0+v3.6.10

@@ -0,0 +1,10 @@
+/!\ BREAKING CHANGE: Change metrics endpoint to use https instead of http 8082
+                     to prevent sending BASIC_AUTH in plaintext
+
+The metrics endpoint changed from http on port 8082 to the web-secure
+endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is
+enabled you need to configure a FQDN for it by setting METRICS_FQDN in your
+.env. You should also update the scrape config files in prometheus for
+Traefik metrics from port 8082 to the new FQDN.
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/5.0.0+v3.6.10...4.0.0+v3.6.10

release/5.1.0+v3.6.11

@@ -0,0 +1 @@
+Patched CVES: CVE-2026-32595 and CVE-2026-32305

traefik.yml.tmpl

@@ -33,6 +33,10 @@ entrypoints:
           to: web-secure
   web-secure:
     address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 0s
+        writeTimeout: 0s
     http:
       encodedCharacters:
         allowEncodedSlash: true
@@ -94,13 +98,6 @@ entrypoints:
   irc:
     address: ":6697"
   {{- end }}
-  {{- if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{- end }}
   {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
     address: ":9001"
@@ -122,7 +119,8 @@ ping:
 {{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
   prometheus:
-    entryPoint: metrics
+    entryPoint: web-secure
+    manualRouting: true
     addRoutersLabels: true
     addServicesLabels: true
 {{- end }}