enable traefik security feat

compose.yml

@@ -11,9 +11,10 @@ services:
     command:
       - --configFile=/etc/traefik/traefik.yml
     ports:
-      - 80:80
+      - 80:80/tcp
-      - 443:443
+      - 443:443/tcp
-      - 8080:8080
+      - 443:443/udp
+      - 8080:8080/tcp
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik/etc:/etc/traefik:ro

mkdocs/docs/projects/k3s_traefik_setup.md

@@ -2,7 +2,7 @@
 
 ## Brief
 
-Enabling internal access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster
+Enabling traefik access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster
 
 - by `rskntroot` on `2024-07-01`
 
@@ -23,23 +23,30 @@ Server Version: v1.29.5+k3s1
 
 ## Traefik Dashboards
 
-`Traefik Dashboards` refers to both traefik dashboard and prometheus metrics for traefik which are readily available, however, disabled by default in K3S. 
+K3S comes packaged with `Traefik Dashboard` and `Prometheus Metrics` which are disabled by default. 
 
 ### Preparation
 
-Enable `internal`+`.your.domain.com` in non-public DNS
+=== "DNS"
 
-- (alt) edit the `hosts` file on your admin to point the desired k3s host IP
+    Set DNS record `traefik.your.domain.com` in a non-public DNS
 
-On host with `kubectl` access:
+=== "Hosts File"
-``` bash
+
-export DOMAIN=your.domain.com
+    Alternatively, you can just edit your workstations `hosts` file.
-```
+
+    ``` title="/etc/hosts"
+
+    10.0.0.1    traefik.your.domain.com
+
+    ```
 
 !!! warning "This example does not include authentication. Exposing these dashboards is a security risk." 
 
 ### Update Manifest
 
+On host with `kubectl` access.
+
 Add the following to `spec.valuesContent` in:
 
 ``` bash
@@ -102,7 +109,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
 
 === "Traefik Dashboard"
 
-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
     apiVersion: v1
     kind: Service
     metadata:
@@ -133,7 +140,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
         spec.ingressClassName: traefik
     spec:
       rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
           http:
             paths:
               - path: /
@@ -147,7 +154,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
 
 === "Promethus Only"
 
-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
     apiVersion: v1
     kind: Service
     metadata:
@@ -178,7 +185,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
         spec.ingressClassName: traefik
     spec:
       rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
           http:
             paths:
               - path: /
@@ -199,7 +206,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
 
 === "Both"
 
-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
     apiVersion: v1
     kind: Service
     metadata:
@@ -251,7 +258,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
         spec.ingressClassName: traefik
     spec:
       rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
           http:
             paths:
               - path: /
@@ -272,7 +279,11 @@ Save the following to `traefik-dashboard.yml` in your workspace.
 
 ### Create Service & Ingress Resources
 
-[envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated below.
+First, set the environment variable for to your domain.
+
+``` bash
+export DOMAIN=your.domain.com
+```
 
 === "Bash"
 
@@ -292,6 +303,10 @@ Save the following to `traefik-dashboard.yml` in your workspace.
     traefik-metrics     ClusterIP      10.43.189.128   <none>    9100/TCP    25s
     ```
 
+!!! note annotate "Why are passing the yaml file into `envsubst`? (1)"
+
+1. `envsubst` - [gnu](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated above.
+
 ### Access Dashboards
 
 That's it. You should now be able to access the Traefik Ingress Controller Dashboard and metrics remotely.  
@@ -301,7 +316,7 @@ Don't forget to include the appropriate uri paths:
 === "Traefik Dashboard"
 
     ```
-    https://internal.your.domain.com/dashboard/
+    https://traefik.your.domain.com/dashboard/
     ```
 
     !!! tip "When navigating to the traefik dashboard the `/` at the end is necessary. `/dashboard` will not work. "
@@ -309,7 +324,7 @@ Don't forget to include the appropriate uri paths:
 === "Promethus Metrics"
 
       ```
-      https://internal.your.domain.com/metrics
+      https://traefik.your.domain.com/metrics
       ```
 
 ### Disable Dashboards

mkdocs/mkdocs.yml

@@ -6,9 +6,10 @@ theme:
   name: material
   features:
     - navigation.instant
+    - content.code.copy
+    - content.code.select
   icon:
     admonition:
-      note: fontawesome/solid/note-sticky
       abstract: fontawesome/solid/book
       info: fontawesome/solid/circle-info
       success: fontawesome/solid/check
@@ -18,6 +19,7 @@ theme:
       bug: fontawesome/solid/robot
       example: fontawesome/solid/flask
       quote: fontawesome/solid/quote-left
+    annotation: material/plus-circle
     repo: fontawesome/brands/github
   palette:
     # Palette toggle for dark mode
@@ -32,8 +34,10 @@ theme:
         icon: material/weather-night
         name: Switch to dark mode
 markdown_extensions:
-  - admonition
   - abbr
+  - admonition
+  - attr_list
+  - md_in_html
   - pymdownx.snippets:
       auto_append:
         - includes/abbreviations.md

nginx/etc/conf.d/default.conf

@@ -10,9 +10,6 @@ server {
     add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
     add_header X-XSS-Protection "1; mode=block";
 
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
-
     # rskio logging is handled via traefik
     #access_log  /var/log/nginx/host.access.log  main;
 

traefik/etc/dynamic.yml

@@ -1,2 +1,29 @@
 # To enable update provider in traefik.yml
 
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+    mintls13:
+      minVersion: VersionTLS13
+    cipherSuites:
+      - TLS_AES_256_GCM_SHA384
+      - TLS_AES_128_GCM_SHA256
+      - TLS_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_FALLBACK_SCSV
+
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        referrerPolicy: "same-origin"
+        sslRedirect: true
+        stsSeconds: 31536000

traefik/etc/traefik.yml

@@ -10,12 +10,14 @@ entryPoints:
         entryPoint:
           to: websecure
           priority: 10
+      middlewares:
+        - secureHeaders@file
   websecure:
     address: :443
     http3:
       advertisedPort: 443
 
-certificatesresolvers:
+certificatesResolvers:
   rskio_certresolver:
     acme:
       tlschallenge: true
@@ -40,7 +42,7 @@ providers:
     endpoint: unix:///var/run/docker.sock
     network: rskio_default
     exposedByDefault: false
-#  file:
+  file:
-#    filename: /etc/traefik/dynamic.yml
+    filename: /etc/traefik/dynamic.yml
-#    watch: true
+    watch: true