Hardening middleware

dc2f62e8 · David Beniamine · 251f8eaa · dc2f62e8
Verified Commit dc2f62e8 authored 4 years ago by David Beniamine
--- a/docker-compose.yml.sample
+++ b/docker-compose.yml.sample
@@ -2,37 +2,43 @@ version: "3.3"
 services:
-  traefik:
+traefik:
-    image: "traefik:v2.3"
+image: "traefik:v2.3"
-    container_name: "traefik"
+container_name: "traefik"
-    ports:
+ports:
-      - "80:80"
+- "80:80"
-      - "443:443"
+- "443:443"
-    volumes:
+volumes:
-      - "./letsencrypt:/letsencrypt"
+- "./letsencrypt:/letsencrypt"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+- "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "./traefik.toml:/etc/traefik/traefik.toml"
+- "./traefik.toml:/etc/traefik/traefik.toml"
-      - "./config:/config"
+- "./config:/config"
-      - "./acme.json:/acme.json"
+- "./acme.json:/acme.json"
-      - "./log:/var/log"
+- "./log:/var/log"
-    networks:
+networks:
-      - traefik
+- traefik
-    restart: always
+restart: always
-    labels:
+labels:
-      - "traefik.enable=true"
+- "traefik.enable=true"
-      - "traefik.docker.network=traefik"
+- "traefik.docker.network=traefik"
-      - "traefik.http.routers.traefikapi.rule=Host(`${HOST}`)"
+- "traefik.http.routers.traefikapi.rule=Host(`${HOST}`)"
-      - "traefik.http.routers.traefikapi.service=api@internal"
+- "traefik.http.routers.traefikapi.service=api@internal"
-      - "traefik.http.routers.traefikapi.tls.certresolver=myresolver"
+- "traefik.http.routers.traefikapi.tls.certresolver=myresolver"
-      - "traefik.http.routers.traefikapi.entrypoints=web,websecure"
+- "traefik.http.routers.traefikapi.entrypoints=web,websecure"
-      - "traefik.http.routers.traefikapi.middlewares=traefikapi@docker" # uncomment me ,auth"
+- "traefik.http.routers.traefikapi.middlewares=hardening@docker" # uncomment me ,auth"
-        # uncomment me - "traefik.http.middlewares.auth.basicauth.users=user:htpassword with $ doubled and final ."
+# uncomment me - "traefik.http.middlewares.auth.basicauth.users=user:htpassword with $ doubled and final ."
-      - "traefik.http.middlewares.traefikapi.headers.forceSTSHeader=true"
+- "traefik.http.middlewares.hardening.headers.sslredirect=true"
-      - "traefik.http.middlewares.traefikapi.headers.stsIncludeSubdomains=true"
+- "traefik.http.middlewares.hardening.headers.forceSTSHeader=true"
-      - "traefik.http.middlewares.traefikapi.headers.stsSeconds=31536000"
+- "traefik.http.middlewares.hardening.headers.stsIncludeSubdomains=true"
+- "traefik.http.middlewares.hardening.headers.stsSeconds=15552000"
+- "traefik.http.middlewares.hardening.headers.stsPreload=true"
+- "traefik.http.middlewares.hardening.headers.referrerPolicy=no-referrer"
+- "traefik.http.middlewares.hardening.headers.customFrameOptionsValue=SAMEORIGIN"
 networks:
-    traefik:
+traefik:
-        external: true
+external: true