Refactor Traefik

2020-10-23 10:45:03 +02:00 · 2020-10-23 10:45:03 +02:00 · f6bda77e15
parent 593d24f9e1
commit f6bda77e15
5 changed files with 31 additions and 13 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,4 +1,4 @@
-version: '3'
+version: "3.7"

 services:
    traefik:
@ -15,12 +15,6 @@ services:
            - configtraefik:/config
        labels:
            - "traefik.enable=true"
-            # HTTP to HTTPS redirection
-            - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
-            - "traefik.http.routers.http_catchall.entrypoints=insecure"
-            - "traefik.http.routers.http_catchall.middlewares=https_redirect"
-            - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
-            - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
            # Docker labels for enabling Traefik dashboard
            - "traefik.http.routers.traefik.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
            - "traefik.http.routers.traefik.entrypoints=secure"
--- a/traefik/custom/middlewares.yaml
+++ b/traefik/custom/middlewares.yaml
@ -0,0 +1,13 @@
+http:
+  middlewares:
+    common-auth:
+      basicAuth:
+        usersFile: "/etc/traefik/http_auth"
+    security-headers:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 31536000
--- a/traefik/custom/tls.yaml
+++ b/traefik/custom/tls.yaml
@ -0,0 +1,5 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
--- a/traefik/file-provider.yml
+++ b/traefik/file-provider.yml
@ -1,5 +0,0 @@
-http:
-  middlewares:
-    common-auth:
-      basicAuth:
-        usersFile: "/etc/traefik/http_auth"
--- a/traefik/traefik.yaml
+++ b/traefik/traefik.yaml
@ -7,13 +7,24 @@ providers:
    network: "traefik-network"
    exposedByDefault: false # Only expose explicitly enabled containers
  file:
-    filename: /etc/traefik/file-provider.yml
+    directory: /etc/traefik/custom
+    watch: true

 entryPoints:
  insecure:
    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: secure
+          scheme: https
  secure:
    address: ":443"
+    http:
+      tls:
+        certResolver: le
+      middlewares:
+      - security-headers@file

 certificatesResolvers:
  le: