compose.keycloak.yml

@@ -3,16 +3,8 @@ version: "3.8"
 
 services:
   app:
-    configs:
-      - source: file_provider_yml
-        target: /etc/traefik/file-provider.yml
     deploy:
       labels:
         - "traefik.http.routers.traefik.middlewares=keycloak@file"
     environment:
-      - FILE_PROVIDER_ENABLED
-
-configs:
-  file_provider_yml:
-    name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
-    file: file-provider.yml
+      - KEYCLOAK_MIDDLEWARE_ENABLED

compose.yml

@@ -14,6 +14,8 @@ services:
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
+      - source: file_provider_yml
+        target: /etc/traefik/file-provider.yml
     networks:
       - proxy
     environment:
@@ -34,7 +36,9 @@ services:
         - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.traefik.entrypoints=web-secure"
         - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.options=default@file"
         - "traefik.http.routers.traefik.service=api@internal"
+        - "traefik.http.routers.traefik.middlewares=security@file"
 
 networks:
   proxy:
@@ -45,6 +49,9 @@ configs:
     name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
     file: traefik.yml
     template_driver: golang
+  file_provider_yml:
+    name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
+    file: file-provider.yml
 
 volumes:
   letsencrypt:

file-provider.yml

@@ -1,9 +1,34 @@
 ---
 http:
   middlewares:
+    {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
         address: "http://traefik-forward-auth:4181"
         trustForwardHeader: true
         authResponseHeaders:
           - X-Forwarded-User
+    {{ end }}
+    security:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: "31536000"
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
+        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
+        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true

traefik.yml

@@ -8,10 +8,8 @@ providers:
     exposedByDefault: false
     network: proxy
     swarmMode: true
-  {{ if eq (env "FILE_PROVIDER_ENABLED") "1" }}
   file:
     filename: /etc/traefik/file-provider.yml
-  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}