enable traefik security feat

2024-06-10 06:17:15 +00:00
parent 13d9c32282
commit 389b7aea43
6 changed files with 75 additions and 29 deletions
--- a/traefik/etc/dynamic.yml
+++ b/traefik/etc/dynamic.yml
@@ -1,2 +1,29 @@
 # To enable update provider in traefik.yml

+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+    mintls13:
+      minVersion: VersionTLS13
+    cipherSuites:
+      - TLS_AES_256_GCM_SHA384
+      - TLS_AES_128_GCM_SHA256
+      - TLS_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_FALLBACK_SCSV
+
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        referrerPolicy: "same-origin"
+        sslRedirect: true
+        stsSeconds: 31536000
--- a/traefik/etc/traefik.yml
+++ b/traefik/etc/traefik.yml
@@ -10,12 +10,14 @@ entryPoints:
        entryPoint:
          to: websecure
          priority: 10
+      middlewares:
+        - secureHeaders@file
  websecure:
    address: :443
    http3:
      advertisedPort: 443

-certificatesresolvers:
+certificatesResolvers:
  rskio_certresolver:
    acme:
      tlschallenge: true
@@ -40,7 +42,7 @@ providers:
    endpoint: unix:///var/run/docker.sock
    network: rskio_default
    exposedByDefault: false
-#  file:
-#    filename: /etc/traefik/dynamic.yml
-#    watch: true
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true