enable traefik security feat

2024-06-10 06:17:15 +00:00
parent 13d9c32282
commit 389b7aea43
6 changed files with 75 additions and 29 deletions
--- a/compose.yml
+++ b/compose.yml
@@ -11,9 +11,10 @@ services:
    command:
      - --configFile=/etc/traefik/traefik.yml
    ports:
-      - 80:80
-      - 443:443
-      - 8080:8080
+      - 80:80/tcp
+      - 443:443/tcp
+      - 443:443/udp
+      - 8080:8080/tcp
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/etc:/etc/traefik:ro
--- a/mkdocs/docs/projects/k3s_traefik_setup.md
+++ b/mkdocs/docs/projects/k3s_traefik_setup.md
@@ -2,7 +2,7 @@

 ## Brief

-Enabling internal access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster
+Enabling traefik access to dashboard and metrics for traefik ingress controller in k3s kubernetes cluster

 - by `rskntroot` on `2024-07-01`

@@ -23,23 +23,30 @@ Server Version: v1.29.5+k3s1

 ## Traefik Dashboards

-`Traefik Dashboards` refers to both traefik dashboard and prometheus metrics for traefik which are readily available, however, disabled by default in K3S. 
+K3S comes packaged with `Traefik Dashboard` and `Prometheus Metrics` which are disabled by default. 

 ### Preparation

-Enable `internal`+`.your.domain.com` in non-public DNS
+=== "DNS"

- (alt) edit the `hosts` file on your admin to point the desired k3s host IP
+    Set DNS record `traefik.your.domain.com` in a non-public DNS

-On host with `kubectl` access:
-``` bash
-export DOMAIN=your.domain.com
-```
+=== "Hosts File"
+
+    Alternatively, you can just edit your workstations `hosts` file.
+
+    ``` title="/etc/hosts"
+
+    10.0.0.1    traefik.your.domain.com
+
+    ```

 !!! warning "This example does not include authentication. Exposing these dashboards is a security risk." 

 ### Update Manifest

+On host with `kubectl` access.
+
 Add the following to `spec.valuesContent` in:

 ``` bash
@@ -102,7 +109,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.

 === "Traefik Dashboard"

-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
    apiVersion: v1
    kind: Service
    metadata:
@@ -133,7 +140,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
        spec.ingressClassName: traefik
    spec:
      rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
          http:
            paths:
              - path: /
@@ -147,7 +154,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.

 === "Promethus Only"

-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
    apiVersion: v1
    kind: Service
    metadata:
@@ -178,7 +185,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
        spec.ingressClassName: traefik
    spec:
      rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
          http:
            paths:
              - path: /
@@ -199,7 +206,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.

 === "Both"

-    ``` yaml
+    ``` yaml title="traefik-dashboard.yml"
    apiVersion: v1
    kind: Service
    metadata:
@@ -251,7 +258,7 @@ Save the following to `traefik-dashboard.yml` in your workspace.
        spec.ingressClassName: traefik
    spec:
      rules:
-        - host: internal.${DOMAIN}
+        - host: traefik.${DOMAIN}
          http:
            paths:
              - path: /
@@ -272,7 +279,11 @@ Save the following to `traefik-dashboard.yml` in your workspace.

 ### Create Service & Ingress Resources

-[envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated below.
+First, set the environment variable for to your domain.
+
+``` bash
+export DOMAIN=your.domain.com
+```

 === "Bash"

@@ -292,6 +303,10 @@ Save the following to `traefik-dashboard.yml` in your workspace.
    traefik-metrics     ClusterIP      10.43.189.128   <none>    9100/TCP    25s
    ```

+!!! note annotate "Why are passing the yaml file into `envsubst`? (1)"
+
+1. `envsubst` - [gnu](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) - enables code-reuse by providing environment variable substituion as demonstrated above.
+
 ### Access Dashboards

 That's it. You should now be able to access the Traefik Ingress Controller Dashboard and metrics remotely.  
@@ -301,7 +316,7 @@ Don't forget to include the appropriate uri paths:
 === "Traefik Dashboard"

    ```
-    https://internal.your.domain.com/dashboard/
+    https://traefik.your.domain.com/dashboard/
    ```

    !!! tip "When navigating to the traefik dashboard the `/` at the end is necessary. `/dashboard` will not work. "
@@ -309,7 +324,7 @@ Don't forget to include the appropriate uri paths:
 === "Promethus Metrics"

      ```
-      https://internal.your.domain.com/metrics
+      https://traefik.your.domain.com/metrics
      ```

 ### Disable Dashboards
--- a/mkdocs/mkdocs.yml
+++ b/mkdocs/mkdocs.yml
@@ -6,9 +6,10 @@ theme:
  name: material
  features:
    - navigation.instant
+    - content.code.copy
+    - content.code.select
  icon:
    admonition:
-      note: fontawesome/solid/note-sticky
      abstract: fontawesome/solid/book
      info: fontawesome/solid/circle-info
      success: fontawesome/solid/check
@@ -18,6 +19,7 @@ theme:
      bug: fontawesome/solid/robot
      example: fontawesome/solid/flask
      quote: fontawesome/solid/quote-left
+    annotation: material/plus-circle
    repo: fontawesome/brands/github
  palette:
    # Palette toggle for dark mode
@@ -32,8 +34,10 @@ theme:
        icon: material/weather-night
        name: Switch to dark mode
 markdown_extensions:
-  - admonition
  - abbr
+  - admonition
+  - attr_list
+  - md_in_html
  - pymdownx.snippets:
      auto_append:
        - includes/abbreviations.md
--- a/nginx/etc/conf.d/default.conf
+++ b/nginx/etc/conf.d/default.conf
@@ -10,9 +10,6 @@ server {
    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header X-XSS-Protection "1; mode=block";

-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
-
    # rskio logging is handled via traefik
    #access_log  /var/log/nginx/host.access.log  main;

--- a/traefik/etc/dynamic.yml
+++ b/traefik/etc/dynamic.yml
@@ -1,2 +1,29 @@
 # To enable update provider in traefik.yml

+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+    mintls13:
+      minVersion: VersionTLS13
+    cipherSuites:
+      - TLS_AES_256_GCM_SHA384
+      - TLS_AES_128_GCM_SHA256
+      - TLS_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_FALLBACK_SCSV
+
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        referrerPolicy: "same-origin"
+        sslRedirect: true
+        stsSeconds: 31536000
--- a/traefik/etc/traefik.yml
+++ b/traefik/etc/traefik.yml
@@ -10,12 +10,14 @@ entryPoints:
        entryPoint:
          to: websecure
          priority: 10
+      middlewares:
+        - secureHeaders@file
  websecure:
    address: :443
    http3:
      advertisedPort: 443

-certificatesresolvers:
+certificatesResolvers:
  rskio_certresolver:
    acme:
      tlschallenge: true
@@ -40,7 +42,7 @@ providers:
    endpoint: unix:///var/run/docker.sock
    network: rskio_default
    exposedByDefault: false
-#  file:
-#    filename: /etc/traefik/dynamic.yml
-#    watch: true
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true