diff --git a/servers/containers/jade-website-frontend.container b/servers/containers/jade-website-frontend.container index bb159c3b..166a56b0 100644 --- a/servers/containers/jade-website-frontend.container +++ b/servers/containers/jade-website-frontend.container @@ -19,16 +19,9 @@ Label="traefik.http.routers.jade-website-frontend.rule=Host(`jade.ellis.link`)" Label="traefik.http.routers.jade-website-frontend.entrypoints=https" Label="traefik.http.routers.jade-website-frontend.tls.certresolver=letsencrypt" +# Label="traefik.http.routers.jade-website-frontend.tls.options=intermediate@file" - -Label="traefik.http.middlewares.compress.compress=true" - -Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false" -Label="traefik.http.middlewares.hsts.headers.stspreload=true" -Label="traefik.http.middlewares.hsts.headers.stsseconds=31536000" -Label="traefik.http.middlewares.hsts.headers.isdevelopment=false" - -Label="traefik.http.routers.jade-website-frontend.middlewares=hsts,compress" +Label="traefik.http.routers.jade-website-frontend.middlewares=default@file" Label="homepage.group=Public" Label="homepage.name=Website" diff --git a/servers/traefik/additional/middleware.yml b/servers/traefik/additional/middleware.yml new file mode 100644 index 00000000..bc399a4d --- /dev/null +++ b/servers/traefik/additional/middleware.yml @@ -0,0 +1,27 @@ +http: + middlewares: + default: + chain: + middlewares: + - security-headers + - hsts + - compress + compress: + compress: true + hsts: + headers: + stsIncludeSubdomains: false + stsPreload: true + stsSeconds: 31536000 + isDevelopment: false + forceSTSHeader: true + security-headers: + headers: + contentTypeNosniff: true + referrerPolicy: "no-referrer-when-downgrade" + frameDeny: true + customResponseHeaders: + Cross-Origin-Resource-Policy: same-origin + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Embedded-Policy: require-corp + diff --git a/servers/traefik/additional/tls.yml b/servers/traefik/additional/tls.yml new file mode 100644 index 00000000..09a76611 --- /dev/null +++ b/servers/traefik/additional/tls.yml @@ -0,0 +1,18 @@ +tls: + options: + # To use with the label "traefik.http.routers.myrouter.tls.options=modern@file" + modern: + minVersion: "VersionTLS13" # Minimum TLS Version + sniStrict: true # Strict SNI Checking + + # To use with the label "traefik.http.routers.myrouter.tls.options=intermediate@file" + default : + cipherSuites: + - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" + minVersion: "VersionTLS12" + sniStrict: true diff --git a/servers/traefik/config.toml b/servers/traefik/config.toml index 9bc3d349..9e4247bb 100644 --- a/servers/traefik/config.toml +++ b/servers/traefik/config.toml @@ -54,20 +54,3 @@ storage = "/certificates/acme.json" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http" tlschallenge = true - -[tls.options] -[tls.options.modern] -minVersion = "VersionTLS13" -sniStrict = true -[tls.options.default] -minVersion = "VersionTLS12" -cipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" -] - -sniStrict = true \ No newline at end of file