docs: add reverse-proxy example, improve docker examples, fix slow_query_threshold documentation; feat: allow config.yml and config.yaml as configuration files

docs/documentation/getting-started/docker.md

@@ -45,6 +45,7 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
        cap_add:
          - NET_ADMIN
        ports:
+         # host port : container port
          # WireGuard port, needs to match the port in wg-portal interface config (add one port mapping for each interface)
          - "51820:51820/udp" 
          # Web UI port
@@ -52,6 +53,7 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
        volumes:
+         # host path : container path
          - ./wg/data:/app/data
          - ./wg/config:/app/config
    ```
@@ -70,6 +72,7 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
          - NET_ADMIN
        network_mode: "service:wireguard" # So we ensure to stay on the same network as the wireguard container.
        volumes:
+         # host path : container path
          - ./wg/etc:/etc/wireguard
          - ./wg/data:/app/data
          - ./wg/config:/app/config
@@ -81,6 +84,7 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
        cap_add:
          - NET_ADMIN
        ports:
+         # host port : container port
          - "51820:51820/udp" # WireGuard port, needs to match the port in wg-portal interface config
          - "8888:8888/tcp" # Noticed that the port of the web UI is exposed in the wireguard container.
        volumes:
@@ -133,7 +137,7 @@ For each commit in the master and the stable branch, a corresponding Docker imag
 ## Configuration
 
 You can configure WireGuard Portal using a YAML configuration file.
-The filepath of the YAML configuration file defaults to `/app/config/config.yml`.
+The filepath of the YAML configuration file defaults to `/app/config/config.yaml`.
 It is possible to override the configuration filepath using the environment variable **WG_PORTAL_CONFIG**.
 
 By default, WireGuard Portal uses an SQLite database. The database is stored in `/app/data/sqlite.db`.

docs/documentation/getting-started/reverse-proxy.md

@@ -0,0 +1,98 @@
+## Reverse Proxy for HTTPS
+
+For production deployments, always serve the WireGuard Portal over HTTPS. You have two options to secure your connection:
+
+
+### Reverse Proxy
+
+Let a front‐end proxy handle HTTPS for you. This also frees you from managing certificates manually and is therefore the preferred option.
+You can use Nginx, Traefik, Caddy or any other proxy. 
+
+Below is an example using a Docker Compose stack with [Traefik](https://traefik.io/traefik/). 
+It exposes the WireGuard Portal on `https://wg.domain.com` and redirects initial HTTP traffic to HTTPS.
+
+```yaml
+services:
+  reverse-proxy:
+    image: traefik:v3.3
+    restart: unless-stopped
+    command:
+      #- '--log.level=DEBUG'
+      - '--providers.docker.endpoint=unix:///var/run/docker.sock'
+      - '--providers.docker.exposedbydefault=false'
+      - '--entrypoints.web.address=:80'
+      - '--entrypoints.websecure.address=:443'
+      - '--entrypoints.websecure.http3'
+      - '--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true'
+      - '--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web'
+      - '--certificatesresolvers.letsencryptresolver.acme.email=your.email@domain.com'
+      - '--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json'
+      #- '--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory'  # just for testing
+    ports:
+      - 80:80 # for HTTP
+      - 443:443/tcp  # for HTTPS
+      - 443:443/udp  # for HTTP/3
+    volumes:
+      - acme-certs:/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      - 'traefik.enable=true'
+      # HTTP Catchall for redirecting HTTP -> HTTPS
+      - 'traefik.http.routers.dashboard-catchall.rule=Host(`wg.domain.com`) && PathPrefix(`/`)'
+      - 'traefik.http.routers.dashboard-catchall.entrypoints=web'
+      - 'traefik.http.routers.dashboard-catchall.middlewares=redirect-to-https'
+      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'
+
+  wg-portal:
+    image: wgportal/wg-portal:latest
+    container_name: wg-portal
+    restart: unless-stopped
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    cap_add:
+      - NET_ADMIN
+    ports:
+      # host port : container port
+      # WireGuard port, needs to match the port in wg-portal interface config (add one port mapping for each interface)
+      - "51820:51820/udp"
+      # Web UI port (only available on localhost, Traefik will handle the HTTPS)
+      - "127.0.0.1:8888:8888/tcp"
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      # host path : container path
+      - ./wg/data:/app/data
+      - ./wg/config:/app/config
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.wgportal.rule=Host(`wg.domain.com`)'
+      - 'traefik.http.routers.wgportal.entrypoints=websecure'
+      - 'traefik.http.routers.wgportal.tls.certresolver=letsencryptresolver'
+      - 'traefik.http.routers.wgportal.service=wgportal'
+      - 'traefik.http.services.wgportal.loadbalancer.server.port=8888'
+
+volumes:
+  acme-certs:
+```
+
+The WireGuard Portal configuration must be updated accordingly so that the correct external URL is set for the web interface:
+
+```yaml
+web:
+  external_url: https://wg.domain.com
+```
+
+### Built-in TLS
+
+If you prefer to let WireGuard Portal handle TLS itself, you can use the built-in TLS support.
+In your `config.yaml`, under the `web` section, point to your certificate and key files:
+
+```yaml
+web:
+  cert_file: /path/to/your/fullchain.pem
+  key_file:  /path/to/your/privkey.pem
+```
+
+The web server will then use these files to serve HTTPS traffic directly instead of HTTP.