4 changed files with 33 additions and 11 deletions
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@ -3,16 +3,8 @@ version: "3.8"

 services:
  app:
-    configs:
-      - source: file_provider_yml
-        target: /etc/traefik/file-provider.yml
    deploy:
      labels:
        - "traefik.http.routers.traefik.middlewares=keycloak@file"
    environment:
-      - FILE_PROVIDER_ENABLED
-
-configs:
-  file_provider_yml:
-    name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
-    file: file-provider.yml
+      - KEYCLOAK_MIDDLEWARE_ENABLED
--- a/compose.yml
+++ b/compose.yml
@ -14,6 +14,8 @@ services:
    configs:
      - source: traefik_yml
        target: /etc/traefik/traefik.yml
+      - source: file_provider_yml
+        target: /etc/traefik/file-provider.yml
    networks:
      - proxy
    environment:
@ -34,7 +36,9 @@ services:
        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.traefik.entrypoints=web-secure"
        - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.options=default@file"
        - "traefik.http.routers.traefik.service=api@internal"
+        - "traefik.http.routers.traefik.middlewares=security@file"

 networks:
  proxy:
@ -45,6 +49,9 @@ configs:
    name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
    file: traefik.yml
    template_driver: golang
+  file_provider_yml:
+    name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
+    file: file-provider.yml

 volumes:
  letsencrypt:
--- a/file-provider.yml
+++ b/file-provider.yml
@ -1,9 +1,34 @@
 ---
 http:
  middlewares:
+    {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
    keycloak:
      forwardAuth:
        address: "http://traefik-forward-auth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
+    {{ end }}
+    security:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: "31536000"
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
+        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
+        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true
--- a/traefik.yml
+++ b/traefik.yml
@ -8,10 +8,8 @@ providers:
    exposedByDefault: false
    network: proxy
    swarmMode: true
-  {{ if eq (env "FILE_PROVIDER_ENABLED") "1" }}
  file:
    filename: /etc/traefik/file-provider.yml
-  {{ end }}

 api:
  dashboard: {{ env "DASHBOARD_ENABLED" }}