From 503f438bdf3c3b918945f3a5d92025a4170dcd76 Mon Sep 17 00:00:00 2001 From: Bryan Joshua Pedini Date: Tue, 16 Aug 2022 15:53:27 +0200 Subject: [PATCH] enhanced security through HSTS headers' middleware --- docker-compose.yml | 6 +++++- env.example | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 9525489..489862b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -41,12 +41,16 @@ services: # configure a global middleware for redirecting HTTP to HTTPS - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true + # configure a global middleware to harden security through HSTS + - traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS} + - traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS} + - traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD} ### Section HTTP - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http # only some people can access the dashboard, hence protect it with it's whitelist - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist # redirect Træfik dashboard to HTTPS only - - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https + - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https,hsts - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`) - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal ### Section HTTPS diff --git a/env.example b/env.example index 684dbad..864cdfa 100644 --- a/env.example +++ b/env.example @@ -8,7 +8,12 @@ TRAEFIK_NETWORK=traefik TRAEFIK_MATCHRULE=traefik.mydomain.com TRAEFIK_ROUTER=traefik_mydomain_com TRAEFIK_PILOT_TOKEN= + +# Security TRAEFIK_TLSENABLED=true +TRAEFIK_STS_SECONDS=15552000 +TRAEFIK_STS_SUBDOMAINS=true +TRAEFIK_STS_PRELOAD=true # Certificate provider TRAEFIK_DNSPROVIDER=hetzner