From f6bda77e15e93490796057035f51b493410a1981 Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 23 Oct 2020 10:45:03 +0200 Subject: [PATCH] Refactor Traefik --- docker-compose.yml | 8 +------- traefik/custom/middlewares.yaml | 13 +++++++++++++ traefik/custom/tls.yaml | 5 +++++ traefik/file-provider.yml | 5 ----- traefik/{traefik.yml => traefik.yaml} | 13 ++++++++++++- 5 files changed, 31 insertions(+), 13 deletions(-) create mode 100644 traefik/custom/middlewares.yaml create mode 100644 traefik/custom/tls.yaml delete mode 100644 traefik/file-provider.yml rename traefik/{traefik.yml => traefik.yaml} (64%) diff --git a/docker-compose.yml b/docker-compose.yml index 1e74ae4..ad83532 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '3' +version: "3.7" services: traefik: @@ -15,12 +15,6 @@ services: - configtraefik:/config labels: - "traefik.enable=true" - # HTTP to HTTPS redirection - - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)" - - "traefik.http.routers.http_catchall.entrypoints=insecure" - - "traefik.http.routers.http_catchall.middlewares=https_redirect" - - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https" - - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true" # Docker labels for enabling Traefik dashboard - "traefik.http.routers.traefik.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)" - "traefik.http.routers.traefik.entrypoints=secure" diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml new file mode 100644 index 0000000..ceff042 --- /dev/null +++ b/traefik/custom/middlewares.yaml @@ -0,0 +1,13 @@ +http: + middlewares: + common-auth: + basicAuth: + usersFile: "/etc/traefik/http_auth" + security-headers: + headers: + frameDeny: true + contentTypeNosniff: true + browserXssFilter: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsSeconds: 31536000 \ No newline at end of file diff --git a/traefik/custom/tls.yaml b/traefik/custom/tls.yaml new file mode 100644 index 0000000..f93673d --- /dev/null +++ b/traefik/custom/tls.yaml @@ -0,0 +1,5 @@ +tls: + options: + default: + minVersion: VersionTLS12 + sniStrict: true \ No newline at end of file diff --git a/traefik/file-provider.yml b/traefik/file-provider.yml deleted file mode 100644 index 7978444..0000000 --- a/traefik/file-provider.yml +++ /dev/null @@ -1,5 +0,0 @@ -http: - middlewares: - common-auth: - basicAuth: - usersFile: "/etc/traefik/http_auth" \ No newline at end of file diff --git a/traefik/traefik.yml b/traefik/traefik.yaml similarity index 64% rename from traefik/traefik.yml rename to traefik/traefik.yaml index cc39c65..4d9dc3d 100644 --- a/traefik/traefik.yml +++ b/traefik/traefik.yaml @@ -7,13 +7,24 @@ providers: network: "traefik-network" exposedByDefault: false # Only expose explicitly enabled containers file: - filename: /etc/traefik/file-provider.yml + directory: /etc/traefik/custom + watch: true entryPoints: insecure: address: ":80" + http: + redirections: + entryPoint: + to: secure + scheme: https secure: address: ":443" + http: + tls: + certResolver: le + middlewares: + - security-headers@file certificatesResolvers: le: