Improve security config

2024-04-02 16:16:14 +01:00 · 2024-04-02 16:16:14 +01:00 · 45d1a5aceb
commit 45d1a5aceb
parent 289e087066
4 changed files with 47 additions and 26 deletions
--- a/servers/containers/jade-website-frontend.container
+++ b/servers/containers/jade-website-frontend.container
@ -19,16 +19,9 @@ Label="traefik.http.routers.jade-website-frontend.rule=Host(`jade.ellis.link`)"
 Label="traefik.http.routers.jade-website-frontend.entrypoints=https"

 Label="traefik.http.routers.jade-website-frontend.tls.certresolver=letsencrypt"
+# Label="traefik.http.routers.jade-website-frontend.tls.options=intermediate@file"

-
-Label="traefik.http.middlewares.compress.compress=true"
-
-Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false"
-Label="traefik.http.middlewares.hsts.headers.stspreload=true"
-Label="traefik.http.middlewares.hsts.headers.stsseconds=31536000"
-Label="traefik.http.middlewares.hsts.headers.isdevelopment=false"
-
-Label="traefik.http.routers.jade-website-frontend.middlewares=hsts,compress"
+Label="traefik.http.routers.jade-website-frontend.middlewares=default@file"

 Label="homepage.group=Public"
 Label="homepage.name=Website"
--- a/servers/traefik/additional/middleware.yml
+++ b/servers/traefik/additional/middleware.yml
@ -0,0 +1,27 @@
+http:
+  middlewares:
+    default:
+      chain:
+        middlewares:
+          - security-headers
+          - hsts
+          - compress
+    compress:
+      compress: true
+    hsts:
+      headers: 
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 31536000
+        isDevelopment: false
+        forceSTSHeader: true
+    security-headers:
+      headers: 
+        contentTypeNosniff: true
+        referrerPolicy: "no-referrer-when-downgrade"
+        frameDeny: true
+        customResponseHeaders:
+          Cross-Origin-Resource-Policy: same-origin
+          Cross-Origin-Opener-Policy: same-origin
+          Cross-Origin-Embedded-Policy: require-corp
+
--- a/servers/traefik/additional/tls.yml
+++ b/servers/traefik/additional/tls.yml
@ -0,0 +1,18 @@
+tls:
+  options:
+    # To use with the label "traefik.http.routers.myrouter.tls.options=modern@file"
+    modern:
+      minVersion: "VersionTLS13"                          # Minimum TLS Version
+      sniStrict: true                                     # Strict SNI Checking
+    
+    # To use with the label "traefik.http.routers.myrouter.tls.options=intermediate@file"
+    default :
+      cipherSuites:
+        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+      minVersion: "VersionTLS12"
+      sniStrict: true    
--- a/servers/traefik/config.toml
+++ b/servers/traefik/config.toml
@ -54,20 +54,3 @@ storage = "/certificates/acme.json"
 # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
 # - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
 tlschallenge = true
-
-[tls.options]
-[tls.options.modern]
-minVersion = "VersionTLS13"
-sniStrict = true
-[tls.options.default]
-minVersion = "VersionTLS12"
-cipherSuites = [
-  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
-]
-
-sniStrict = true