From cf9754c3b377840decd1d8ad6b3c3bc1586f5984 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 12:47:16 +0200 Subject: [PATCH 1/9] [Traefik] Try to migrate to v2 See https://wiki.picasoft.net/doku.php\?id\=technique:adminsys:migration-traefik-v2 --- pica-traefik/docker-compose.yml | 26 ++++++------ pica-traefik/traefik.toml | 68 ++++++++++++++++--------------- pica-traefik/traefik_dynamic.toml | 30 ++++++++++++++ 3 files changed, 78 insertions(+), 46 deletions(-) create mode 100644 pica-traefik/traefik_dynamic.toml diff --git a/pica-traefik/docker-compose.yml b/pica-traefik/docker-compose.yml index daaf980..d6bb28b 100644 --- a/pica-traefik/docker-compose.yml +++ b/pica-traefik/docker-compose.yml @@ -2,17 +2,15 @@ version: '3.7' services: traefik: - container_name: traefik - # DO NOT UPGRADE - # SEE THIS BEFORE AND DISCUSS : https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa - image: traefik:1.6.6 - ports: - - "80:80" - # Uncomment to expose the web interface. Warning : do not use without setting a password in traefik.toml - #- "8080:8080" - - "443:443" - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - ./traefik.toml:/traefik.toml - - /DATA/docker/traefik/certs:/certs - restart: always + image: traefik:2.3 + container_name: traefik + ports: + - 80:80 + - 443:443 + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock + - ./traefik.toml:/traefik.toml + - ./traefik_dynamic.toml:/traefik_dynamic.toml + - /DATA/docker/traefik/certs:/certs + restart: unless-stopped diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 3514619..0b0766a 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -1,35 +1,39 @@ -logLevel = "INFO" -debug = true -defaultEntryPoints = ["http", "https"] - -[docker] -endpoint = "unix:///var/run/docker.sock" -watch = true -exposedbydefault = false - -[api] +[global] + sendAnonymousUsage = true + checkNewVersion = true [entryPoints] - [entryPoints.http] - address = ":80" - compress = false - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - compress = false - [entryPoints.https.tls] - # Accept only TLS1.1 and 1.2 - MinVersion = "VersionTLS11" - # Accept all ciphers excepting TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA - # CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA" ] - # Keep only ECDHE : - CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ] + [entryPoints.http] + address = ":80" + [entryPoints.http.redirections.entryPoint] + to = "https" + scheme = "https" + [entryPoints.https] + address = ":443" + middlewares = ["hardening@file", "compression@file"] + [entryPoints.https.tls] + certResolver = "letsencrypt" + options = "tls12@file" -[acme] - email = "picasoft@assos.utc.fr" - storage = "/certs/acme.json" - entryPoint = "https" - onHostRule = true - [acme.httpChallenge] - entryPoint = "http" + +[providers] + providersThrottleDuration = "2s" + [providers.docker] + watch = true + endpoint = "unix:///var/run/docker.sock" + swarmMode = false + exposedByDefault = false + [providers.file] + filename = "/etc/traefik/traefik_dynamic.toml" + watch = true + +[log] + level = "INFO" + +[certificatesResolvers] + [certificatesResolvers.letsencrypt] + [certificatesResolvers.letsencrypt.acme] + email = "picasoft@assos.utc.fr" + storage = "/certs/acme.json" + [certificatesResolvers.letsencrypt.acme.httpChallenge] + entryPoint = "http" diff --git a/pica-traefik/traefik_dynamic.toml b/pica-traefik/traefik_dynamic.toml new file mode 100644 index 0000000..b5fc5d9 --- /dev/null +++ b/pica-traefik/traefik_dynamic.toml @@ -0,0 +1,30 @@ +[tls.options] + [tls.options.tls12] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ] + curvePreferences = ["CurveP521","CurveP384"] + +[http] + [http.middlewares.hardening.headers] + accessControlAllowOrigin = "origin-list-or-null" + accessControlMaxAge = 100 + addVaryHeader = true + browserXssFilter = true + contentTypeNosniff = true + forceSTSHeader = true + frameDeny = true + stsIncludeSubdomains = true + stsPreload = true + customFrameOptionsValue = "SAMEORIGIN" + referrerPolicy = "same-origin" + featurePolicy = "vibrate 'self'" + stsSeconds = 315360000 + + [http.middlewares.compression.compress] + excludedContentTypes = ["text/event-stream"] From 4890471df384137d73189b6b4f8bcf8f4c094c50 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 12:51:33 +0200 Subject: [PATCH 2/9] [Traefik] Use clear custom entrypoint name, fix config path, fix redirection --- pica-traefik/traefik.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 0b0766a..7a8b605 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -3,15 +3,15 @@ checkNewVersion = true [entryPoints] - [entryPoints.http] + [entryPoints.web] address = ":80" - [entryPoints.http.redirections.entryPoint] - to = "https" + [entryPoints.web.http.redirections.entryPoint] + to = "websecure" scheme = "https" - [entryPoints.https] + [entryPoints.websecure] address = ":443" middlewares = ["hardening@file", "compression@file"] - [entryPoints.https.tls] + [entryPoints.websecure.tls] certResolver = "letsencrypt" options = "tls12@file" @@ -24,7 +24,7 @@ swarmMode = false exposedByDefault = false [providers.file] - filename = "/etc/traefik/traefik_dynamic.toml" + filename = "/traefik_dynamic.toml" watch = true [log] From efdc2f01c20ca3b0900ee9e4288867bd26d20b2c Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 12:54:04 +0200 Subject: [PATCH 3/9] [Traefik] Fix configuration for default middleware and TLS options --- pica-traefik/traefik.toml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 7a8b605..0497dde 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -10,10 +10,11 @@ scheme = "https" [entryPoints.websecure] address = ":443" - middlewares = ["hardening@file", "compression@file"] - [entryPoints.websecure.tls] - certResolver = "letsencrypt" - options = "tls12@file" + [entryPoints.websecure.http] + middlewares = ["hardening@file", "compression@file"] + [entryPoints.websecure.http.tls] + certResolver = "letsencrypt" + options = "tls12@file" [providers] From 5f50b56e4f6304fb4a25a19700b4b4bd198516a6 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 14:05:08 +0200 Subject: [PATCH 4/9] [Traefik] Don't send stat, forgot comma in ciphers --- pica-traefik/traefik.toml | 2 +- pica-traefik/traefik_dynamic.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 0497dde..4252992 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -1,5 +1,5 @@ [global] - sendAnonymousUsage = true + sendAnonymousUsage = false checkNewVersion = true [entryPoints] diff --git a/pica-traefik/traefik_dynamic.toml b/pica-traefik/traefik_dynamic.toml index b5fc5d9..36aa50b 100644 --- a/pica-traefik/traefik_dynamic.toml +++ b/pica-traefik/traefik_dynamic.toml @@ -2,7 +2,7 @@ [tls.options.tls12] minVersion = "VersionTLS12" cipherSuites = [ - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_AES_256_GCM_SHA384", From 478a838ddaae69ac39c009f253f25358609f0aa0 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 14:24:11 +0200 Subject: [PATCH 5/9] [Traefik] Remove unrelevant security headers --- pica-traefik/traefik_dynamic.toml | 2 -- 1 file changed, 2 deletions(-) diff --git a/pica-traefik/traefik_dynamic.toml b/pica-traefik/traefik_dynamic.toml index 36aa50b..398f83d 100644 --- a/pica-traefik/traefik_dynamic.toml +++ b/pica-traefik/traefik_dynamic.toml @@ -12,8 +12,6 @@ [http] [http.middlewares.hardening.headers] - accessControlAllowOrigin = "origin-list-or-null" - accessControlMaxAge = 100 addVaryHeader = true browserXssFilter = true contentTypeNosniff = true From a392ea89a9508bd292748e1915020fed05fc409e Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 14:47:29 +0200 Subject: [PATCH 6/9] [Traefik] Create a common network for Traefik and services --- pica-traefik/docker-compose.yml | 6 ++++++ pica-traefik/traefik.toml | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pica-traefik/docker-compose.yml b/pica-traefik/docker-compose.yml index d6bb28b..d4a139e 100644 --- a/pica-traefik/docker-compose.yml +++ b/pica-traefik/docker-compose.yml @@ -1,5 +1,9 @@ version: '3.7' +networks: + proxy: + name: 'proxy' + services: traefik: image: traefik:2.3 @@ -13,4 +17,6 @@ services: - ./traefik.toml:/traefik.toml - ./traefik_dynamic.toml:/traefik_dynamic.toml - /DATA/docker/traefik/certs:/certs + networks: + - proxy restart: unless-stopped diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 4252992..d876883 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -22,7 +22,6 @@ [providers.docker] watch = true endpoint = "unix:///var/run/docker.sock" - swarmMode = false exposedByDefault = false [providers.file] filename = "/traefik_dynamic.toml" From b517050f38421f62b6b5425685f8e71c37e38086 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 14:55:06 +0200 Subject: [PATCH 7/9] [Traefik] Fix ACME entrypoint --- pica-traefik/traefik.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index d876883..72c07cd 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -36,4 +36,4 @@ email = "picasoft@assos.utc.fr" storage = "/certs/acme.json" [certificatesResolvers.letsencrypt.acme.httpChallenge] - entryPoint = "http" + entryPoint = "web" From 754331f6127a78b7825e82c06b1e8a84790f6123 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 15:49:11 +0200 Subject: [PATCH 8/9] Upgrade all services for Traefik v2 ; clean Compose files ; update doc --- pica-traefik/README.md | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/pica-traefik/README.md b/pica-traefik/README.md index 0544aa4..d3c67df 100644 --- a/pica-traefik/README.md +++ b/pica-traefik/README.md @@ -7,36 +7,28 @@ Ce service doit être lancé sur l'ensemble des machines de l'infrastructure. ### Configuration -La configuration a lieu dans le fichier [traefik.toml](./traefik.toml). +La configuration a lieu dans les fichiers [traefik.toml](./traefik.toml) et [traefik_dynamic.toml](./traefik_dynamic.toml). Notez que toute modification dans ce fichier impactera l'ensemble des machines, puisque le même fichier est utilisé pour l'ensemble des machines. À des fins de tests, il peut être modifié localement sur les machines, mais doit toujours rester synchronisé avec ce dépôt à long terme. Pour la génération des certificats, Traefik utilise Let's Encrypt. Il n'y a aucune configuration à faire de ce côté. Attention, le nombre de certificats générables est limité à 50 par semaine. -Si on lance plein de conteneurs de tests, on utilisera temporairement [l'environnement de qualification](https://letsencrypt.org/fr/docs/staging-environment/) de Let's Encrypt, en ajoutant la directive `caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"` sous la section `[acme]`. +Si on lance plein de conteneurs de tests, on utilisera temporairement [l'environnement de qualification](https://letsencrypt.org/fr/docs/staging-environment/) de Let's Encrypt, en ajoutant la directive `caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"` sous la section `[certificatesResolvers.letsencrypt.acme]`. ### Lancement -Assurez-vous que le dossier `/DATA/docker/traefik/certs` existe. -C'est dans ce dossier que seront conservés tous les certificats générés par Traefik. +Au premier lancement, assurez-vous que : +* Le dossier `/DATA/docker/traefik/certs` existe +* Créez un fichier `acme.json` à l'intérieur +* Changez son propriétaire à `root` +* Changez ses permissions à `600` + +C'est dans ce fichier que seront conservés tous les certificats générés par Traefik. ### Mise à jour Il suffit de mettre à jour le tag de l'image dans Compose. -Attention, Traefik v2 introduit énormément de changements et [nous ne sommes pas certains](https://wiki.picasoft.net/doku.php?id=technique:adminsys:migration-traefik-v2) de la manière d'effectuer la migration. +Lire la documentation [sur les mises à jour mineures](https://docs.traefik.io/v2.2/migration/v2/) pour voir s'il y a des opérations à effectuer ou des options dépréciées. -Aussi, Traefik v1.6 est utilisé pour tenterd d'éviter un bug introduit dans la 1.7, qui rend certains services redémarrés inaccessibles (voir [cette discussion](https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa)). - -Avant toute mise à jour, il faudra discuter avec l'équipe technique et modifier ce README le cas échéant. - -### Todo - -*Voir si on peut passer Traefik en "host" au niveau du réseau pour qu'il ait accès à tous les réseaux* : -https://kanban.picasoft.net/b/7fCn765LCNGraBhxA/team-technique-picasoft/kjvc3iw2pFvszCTcR - -Actuellement, Traefik est dans le réseau `docker_default` sur toutes les machines, et les conteneurs souhaitant être accessibles via Traefik doivent être explicitement dans ce réseau. - -Ceci induit une complexité supplémentaire au niveau des fichiers Compose. - -Il serait peut être bon de permettre à Traefik d'accéder à tous les réseaux et de supprimer énormément de directives "inutiles" dans les Compose. +La mise à jour vers Traefik v2 a été effectuée ; quelques détails sont à consulter [sur le wiki](https://wiki.picasoft.net/doku.php?id=technique:adminsys:migration-traefik-v2). From ba14ba2df5770ef29d0dbd689a3ce9f5ae539a20 Mon Sep 17 00:00:00 2001 From: Quentin Duchemin Date: Fri, 4 Sep 2020 16:16:58 +0200 Subject: [PATCH 9/9] [Traefik] Indicate default network in configuration --- pica-traefik/traefik.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml index 72c07cd..a154bb5 100644 --- a/pica-traefik/traefik.toml +++ b/pica-traefik/traefik.toml @@ -23,6 +23,7 @@ watch = true endpoint = "unix:///var/run/docker.sock" exposedByDefault = false + network = "proxy" [providers.file] filename = "/traefik_dynamic.toml" watch = true