From 0b97b07445ddae82bb8506123ccc509638bcd9eb Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@gmail.com>
Date: Sat, 17 Apr 2021 12:50:09 +0000
Subject: [PATCH] Traefik configuration

---
 .gitignore                                    |  5 ++
 README.md                                     | 30 ++++++++-
 conf/files-examples/headers-policy-domain.yml |  7 ++
 conf/files/auth-traefik.yml                   |  6 ++
 conf/files/headers-base.yml                   |  9 +++
 conf/files/headers-policy-self.yml            |  6 ++
 conf/files/headers-sts.yml                    |  7 ++
 conf/files/net-home.yml                       |  5 ++
 conf/files/tls.yml                            | 19 ++++++
 docker-compose.yml                            | 65 +++++++++++++++++++
 env.example                                   |  2 +
 11 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore
 create mode 100644 conf/files-examples/headers-policy-domain.yml
 create mode 100644 conf/files/auth-traefik.yml
 create mode 100644 conf/files/headers-base.yml
 create mode 100644 conf/files/headers-policy-self.yml
 create mode 100644 conf/files/headers-sts.yml
 create mode 100644 conf/files/net-home.yml
 create mode 100644 conf/files/tls.yml
 create mode 100644 docker-compose.yml
 create mode 100644 env.example

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3cec5f0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+.env
+conf/acme/
+conf/certs/
+conf/users/
+conf/files/headers-policy-domain.yml
diff --git a/README.md b/README.md
index 3b4558d..9b1686f 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,30 @@
-# tpl.docker-compose
+# Træfik reverse proxy
+
+## Requirements
+
+ * Docker
+ * docke-compose
+ * htpasswd (from apache)
+
+## Quick start
+
+1. Create a user to restrict access to the Træfik dashboard:
+
+   ```sh
+   htpasswd -nb MyAwesomeUser MyAwesomePassword > conf/users/traefik.htpasswd
+   ```
+
+2. Create the network used by Træfik to talk to the internal services:
+
+   ```sh
+   docker network create --attachable --internal proxy       # Default shared proxy network
+   docker network create --attachable --internal proxy_home  # For Main services
+   docker network create --attachable --internal proxy_infra # For Network infrastructure
+   ```
+
+3. Start Træfik:
+
+   ```sh
+   docker-compose up -d
+   ```
 
diff --git a/conf/files-examples/headers-policy-domain.yml b/conf/files-examples/headers-policy-domain.yml
new file mode 100644
index 0000000..b8cafb7
--- /dev/null
+++ b/conf/files-examples/headers-policy-domain.yml
@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    headers-policy-domain:
+      headers:
+        customFrameOptionsValue: "ALLOW-FROM https://example.net"
+        contentsecuritypolicy: "frame-ancestors 'self' example.net *.example.net"
+        referrerpolicy: "strict-origin-when-cross-origin"
diff --git a/conf/files/auth-traefik.yml b/conf/files/auth-traefik.yml
new file mode 100644
index 0000000..4acaddc
--- /dev/null
+++ b/conf/files/auth-traefik.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    auth-traefik:
+      basicauth:
+        usersFile: "conf/users/traefik.htpasswd"
+
diff --git a/conf/files/headers-base.yml b/conf/files/headers-base.yml
new file mode 100644
index 0000000..a73f090
--- /dev/null
+++ b/conf/files/headers-base.yml
@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    headers-base:
+      headers:
+        sslredirect: true
+        framedeny: true
+        browserxssfilter: true
+        contenttypenosniff: true
+        isdevelopment: false
diff --git a/conf/files/headers-policy-self.yml b/conf/files/headers-policy-self.yml
new file mode 100644
index 0000000..e611b63
--- /dev/null
+++ b/conf/files/headers-policy-self.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    headers-policy-self:
+      headers:
+        contentsecuritypolicy: "script-src 'self'"
+        referrerpolicy: "strict-origin-when-cross-origin"
diff --git a/conf/files/headers-sts.yml b/conf/files/headers-sts.yml
new file mode 100644
index 0000000..1067a1c
--- /dev/null
+++ b/conf/files/headers-sts.yml
@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    headers-sts:
+      headers:
+        stsincludesubdomains: true
+        stspreload: true
+        stsseconds: 31536000
diff --git a/conf/files/net-home.yml b/conf/files/net-home.yml
new file mode 100644
index 0000000..e5f28b7
--- /dev/null
+++ b/conf/files/net-home.yml
@@ -0,0 +1,5 @@
+http:
+  middlewares:
+    net-home:
+      ipwhitelist:
+        sourcerange: "192.168.2.0/28"
diff --git a/conf/files/tls.yml b/conf/files/tls.yml
new file mode 100644
index 0000000..b0ff4a7
--- /dev/null
+++ b/conf/files/tls.yml
@@ -0,0 +1,19 @@
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      minVersion: "VersionTLS13"
+
+    mintls12:
+      minVersion: "VersionTLS12"
+      cipherSuites:
+       - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+       - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+       - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+       - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: "VersionTLS13"
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..1647142
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,65 @@
+version: "3.8"
+
+networks:
+  proxy:
+    external: true
+  proxy_infra:
+    external: true
+  proxy_home:
+    external: true
+
+services:
+  traefik:
+    image: "traefik:v2.4.8"
+    restart: always
+    command:
+      #- "--log.level=DEBUG"
+      - "--global.sendanonymoususage=false"
+      - "--pilot.dashboard=false"
+      - "--api.dashboard=true"
+      #- "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=proxy"
+      - "--providers.file.directory=/conf/files/"
+      #- "--serverstransport.rootcas=/conf/certs/rootca.crt"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+      - "--entrypoints.web-secure.address=:443"
+      - "--entrypoints.ssh-git.address=:2201"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt.acme.email=${CERT_EMAIL}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/conf/acme/letsencrypt.json"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2201:2201"
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./conf/:/conf/:ro"
+      - "./conf/acme/:/conf/acme/:rw"
+    networks:
+      - proxy
+      - proxy_infra
+      - proxy_home
+      - default
+    # Dynamic Configuration
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy_infra"
+ 
+      # MIDDLEWARES
+      # Priority goes from first in the list to last.
+      - "traefik.http.middlewares.traefik.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"
+
+      # Traefik Dashboard
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.entrypoints=web-secure"
+      - "traefik.http.routers.traefik.rule=Host(`${FQDN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.traefik.tls=true"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.middlewares=traefik,net-home@file,auth-traefik@file"
diff --git a/env.example b/env.example
new file mode 100644
index 0000000..5aa5a29
--- /dev/null
+++ b/env.example
@@ -0,0 +1,2 @@
+FQDN=traefik.example.net
+CERT_EMAIL=admin@example.net