Traefik configuration

.gitignore

@@ -0,0 +1,5 @@
+.env
+conf/acme/
+conf/certs/
+conf/users/
+conf/files/headers-policy-domain.yml

README.md

@@ -1,2 +1,30 @@
-# tpl.docker-compose
+# Træfik reverse proxy
+
+## Requirements
+
+ * Docker
+ * docke-compose
+ * htpasswd (from apache)
+
+## Quick start
+
+1. Create a user to restrict access to the Træfik dashboard:
+
+   ```sh
+   htpasswd -nb MyAwesomeUser MyAwesomePassword > conf/users/traefik.htpasswd
+   ```
+
+2. Create the network used by Træfik to talk to the internal services:
+
+   ```sh
+   docker network create --attachable --internal proxy       # Default shared proxy network
+   docker network create --attachable --internal proxy_home  # For Main services
+   docker network create --attachable --internal proxy_infra # For Network infrastructure
+   ```
+
+3. Start Træfik:
+
+   ```sh
+   docker-compose up -d
+   ```
 

conf/files-examples/headers-policy-domain.yml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    headers-policy-domain:
+      headers:
+        customFrameOptionsValue: "ALLOW-FROM https://example.net"
+        contentsecuritypolicy: "frame-ancestors 'self' example.net *.example.net"
+        referrerpolicy: "strict-origin-when-cross-origin"

conf/files/auth-traefik.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    auth-traefik:
+      basicauth:
+        usersFile: "conf/users/traefik.htpasswd"
+

conf/files/headers-base.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    headers-base:
+      headers:
+        sslredirect: true
+        framedeny: true
+        browserxssfilter: true
+        contenttypenosniff: true
+        isdevelopment: false

conf/files/headers-policy-self.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    headers-policy-self:
+      headers:
+        contentsecuritypolicy: "script-src 'self'"
+        referrerpolicy: "strict-origin-when-cross-origin"

conf/files/headers-sts.yml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    headers-sts:
+      headers:
+        stsincludesubdomains: true
+        stspreload: true
+        stsseconds: 31536000

conf/files/net-home.yml

@@ -0,0 +1,5 @@
+http:
+  middlewares:
+    net-home:
+      ipwhitelist:
+        sourcerange: "192.168.2.0/28"

conf/files/tls.yml

@@ -0,0 +1,19 @@
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      minVersion: "VersionTLS13"
+
+    mintls12:
+      minVersion: "VersionTLS12"
+      cipherSuites:
+       - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+       - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+       - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+       - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: "VersionTLS13"

docker-compose.yml

@@ -0,0 +1,65 @@
+version: "3.8"
+
+networks:
+  proxy:
+    external: true
+  proxy_infra:
+    external: true
+  proxy_home:
+    external: true
+
+services:
+  traefik:
+    image: "traefik:v2.4.8"
+    restart: always
+    command:
+      #- "--log.level=DEBUG"
+      - "--global.sendanonymoususage=false"
+      - "--pilot.dashboard=false"
+      - "--api.dashboard=true"
+      #- "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=proxy"
+      - "--providers.file.directory=/conf/files/"
+      #- "--serverstransport.rootcas=/conf/certs/rootca.crt"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+      - "--entrypoints.web-secure.address=:443"
+      - "--entrypoints.ssh-git.address=:2201"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt.acme.email=${CERT_EMAIL}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/conf/acme/letsencrypt.json"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2201:2201"
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./conf/:/conf/:ro"
+      - "./conf/acme/:/conf/acme/:rw"
+    networks:
+      - proxy
+      - proxy_infra
+      - proxy_home
+      - default
+    # Dynamic Configuration
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy_infra"
+ 
+      # MIDDLEWARES
+      # Priority goes from first in the list to last.
+      - "traefik.http.middlewares.traefik.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"
+
+      # Traefik Dashboard
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.entrypoints=web-secure"
+      - "traefik.http.routers.traefik.rule=Host(`${FQDN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.traefik.tls=true"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.middlewares=traefik,net-home@file,auth-traefik@file"

env.example

@@ -0,0 +1,2 @@
+FQDN=traefik.example.net
+CERT_EMAIL=admin@example.net