Commit 40bc6592 authored by Hidde-Jan Jongsma's avatar Hidde-Jan Jongsma

Add safe tls and header settings

parent 4552edb3
################################################################
# Header configuration
################################################################
[http.middlewares]
[http.middlewares.redirectToHttps.redirectScheme]
scheme = "https"
[http.middlewares.securityHeaders.headers]
frameDeny = true
browserXssFilter = true
contentTypeNosniff = true
referrerPolicy = "strict-origin-when-cross-origin"
[http.middlewares.securityHeaders.headers.customResponseHeaders]
Strict-Transport-Security = "max-age=63072000"
################################################################
# TLS configuration
################################################################
[tls.options]
[tls.options.safeTLSOptions]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
......@@ -10,15 +10,19 @@ services:
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.toml:/etc/traefik/traefik.toml"
- "./conf.d:/etc/traefik/conf.d"
- "./letsencrypt:/letsencrypt"
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.api-insecure.rule=Host(`dashboard.ssi-lab.sensorlab.tno.nl`)"
- "traefik.http.routers.api-insecure.middlewares=redirectToHttps@file,securityHeaders@file"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.routers.api.tls.options=safeTLSOptions@file"
- "traefik.http.routers.api.rule=Host(`dashboard.ssi-lab.sensorlab.tno.nl`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.routers.api.middlewares=auth,securityHeaders@file"
- "traefik.http.middlewares.auth.basicauth.users=tno:$$apr1$$uZnTd1cS$$qhXRXXSbxEXOmcJ56iFH.1"
networks:
......
......@@ -151,6 +151,16 @@
#
exposedByDefault = false
################################################################
# File providers - need to be dynamic so docker can reference
# the options.
################################################################
# Enable Docker configuration backend
[providers.file]
directory = "/etc/traefik/conf.d"
watch = true
################################################################
# TLS configuration
################################################################
......@@ -159,3 +169,7 @@
tlschallenge = true
email = "hidde-jan.jongsma@tno.nl"
storage= "/letsencrypt/acme.json"
[tls.options]
[tls.options.default]
sniStrict = true
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment