coop-cloud/traefik
coop-cloud
/
traefik
5
0
Fork 6
Code Issues 7 Pull Requests Releases Wiki Activity

Improve SSL rating #8

Merged
decentral1se merged 1 commits from enable-better-ssl into master 2020-10-27 12:46:55 +00:00
Conversation 2 Commits 1 Files Changed 4 +33 -11
4 changed files with 33 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
compose.keycloak.yml
View File

@ -3,16 +3,8 @@ version: "3.8"
services: services:
app: app:
configs:
- source: file_provider_yml
target: /etc/traefik/file-provider.yml
deploy: deploy:
labels: labels:
- "traefik.http.routers.traefik.middlewares=keycloak@file" - "traefik.http.routers.traefik.middlewares=keycloak@file"
environment: environment:
- FILE_PROVIDER_ENABLED - KEYCLOAK_MIDDLEWARE_ENABLED
configs:
file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml

7
compose.yml
View File

@ -14,6 +14,8 @@ services:
configs: configs:
- source: traefik_yml - source: traefik_yml
target: /etc/traefik/traefik.yml target: /etc/traefik/traefik.yml
- source: file_provider_yml
target: /etc/traefik/file-provider.yml
networks: networks:
- proxy - proxy
environment: environment:
@ -34,7 +36,9 @@ services:
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=web-secure" - "traefik.http.routers.traefik.entrypoints=web-secure"
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.traefik.tls.options=default@file"
- "traefik.http.routers.traefik.service=api@internal" - "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=security@file"
networks: networks:
proxy: proxy:
@ -45,6 +49,9 @@ configs:
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION} name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
file: traefik.yml file: traefik.yml
template_driver: golang template_driver: golang
file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml
volumes: volumes:
letsencrypt: letsencrypt:

25
file-provider.yml
View File

@ -1,9 +1,34 @@
--- ---
http: http:
middlewares: middlewares:
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
keycloak: keycloak:
forwardAuth: forwardAuth:
address: "http://traefik-forward-auth:4181" address: "http://traefik-forward-auth:4181"
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-Forwarded-User - X-Forwarded-User
{{ end }}
security:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: "31536000"
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

2
traefik.yml
View File

@ -8,10 +8,8 @@ providers:
exposedByDefault: false exposedByDefault: false
network: proxy network: proxy
swarmMode: true swarmMode: true
{{ if eq (env "FILE_PROVIDER_ENABLED") "1" }}
file: file:
filename: /etc/traefik/file-provider.yml filename: /etc/traefik/file-provider.yml
{{ end }}
api: api:
dashboard: {{ env "DASHBOARD_ENABLED" }} dashboard: {{ env "DASHBOARD_ENABLED" }}