Improve SSL rating #8

Merged
decentral1se merged 1 commits from enable-better-ssl into master 2020-10-27 12:46:55 +00:00
4 changed files with 33 additions and 11 deletions

View File

@ -3,16 +3,8 @@ version: "3.8"
services:
app:
configs:
- source: file_provider_yml
target: /etc/traefik/file-provider.yml
deploy:
labels:
- "traefik.http.routers.traefik.middlewares=keycloak@file"
environment:
- FILE_PROVIDER_ENABLED
configs:
file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml
- KEYCLOAK_MIDDLEWARE_ENABLED

View File

@ -14,6 +14,8 @@ services:
configs:
- source: traefik_yml
target: /etc/traefik/traefik.yml
- source: file_provider_yml
target: /etc/traefik/file-provider.yml
networks:
- proxy
environment:
@ -34,7 +36,9 @@ services:
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=web-secure"
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.traefik.tls.options=default@file"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=security@file"
networks:
proxy:
@ -45,6 +49,9 @@ configs:
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
file: traefik.yml
template_driver: golang
file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml
volumes:
letsencrypt:

View File

@ -1,9 +1,34 @@
---
http:
middlewares:
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
keycloak:
forwardAuth:
address: "http://traefik-forward-auth:4181"
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
{{ end }}
security:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: "31536000"
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

View File

@ -8,10 +8,8 @@ providers:
exposedByDefault: false
network: proxy
swarmMode: true
{{ if eq (env "FILE_PROVIDER_ENABLED") "1" }}
file:
filename: /etc/traefik/file-provider.yml
{{ end }}
api:
dashboard: {{ env "DASHBOARD_ENABLED" }}