From cf9754c3b377840decd1d8ad6b3c3bc1586f5984 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Fri, 4 Sep 2020 12:47:16 +0200
Subject: [PATCH] [Traefik] Try to migrate to v2

See https://wiki.picasoft.net/doku.php\?id\=technique:adminsys:migration-traefik-v2
---
 pica-traefik/docker-compose.yml   | 26 ++++++------
 pica-traefik/traefik.toml         | 68 ++++++++++++++++---------------
 pica-traefik/traefik_dynamic.toml | 30 ++++++++++++++
 3 files changed, 78 insertions(+), 46 deletions(-)
 create mode 100644 pica-traefik/traefik_dynamic.toml

diff --git a/pica-traefik/docker-compose.yml b/pica-traefik/docker-compose.yml
index daaf980..d6bb28b 100644
--- a/pica-traefik/docker-compose.yml
+++ b/pica-traefik/docker-compose.yml
@@ -2,17 +2,15 @@ version: '3.7'
 
 services:
   traefik:
-  container_name: traefik
-  # DO NOT UPGRADE
-  # SEE THIS BEFORE AND DISCUSS : https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa
-  image: traefik:1.6.6
-  ports:
-    - "80:80"
-    # Uncomment to expose the web interface. Warning : do not use without setting a password in traefik.toml
-    #- "8080:8080"
-    - "443:443"
-  volumes:
-    - /var/run/docker.sock:/var/run/docker.sock
-    - ./traefik.toml:/traefik.toml
-    - /DATA/docker/traefik/certs:/certs
-  restart: always
+    image: traefik:2.3
+    container_name: traefik
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik.toml:/traefik.toml
+      - ./traefik_dynamic.toml:/traefik_dynamic.toml
+      - /DATA/docker/traefik/certs:/certs
+    restart: unless-stopped
diff --git a/pica-traefik/traefik.toml b/pica-traefik/traefik.toml
index 3514619..0b0766a 100644
--- a/pica-traefik/traefik.toml
+++ b/pica-traefik/traefik.toml
@@ -1,35 +1,39 @@
-logLevel = "INFO"
-debug = true
-defaultEntryPoints = ["http", "https"]
-
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-watch = true
-exposedbydefault = false
-
-[api]
+[global]
+  sendAnonymousUsage = true
+  checkNewVersion = true
 
 [entryPoints]
- [entryPoints.http]
-  address = ":80"
-  compress = false
-  [entryPoints.http.redirect]
-   entryPoint = "https"
- [entryPoints.https]
-  address = ":443"
-  compress = false
-  [entryPoints.https.tls]
-   # Accept only TLS1.1 and 1.2
-   MinVersion = "VersionTLS11"
-   # Accept all ciphers excepting TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA
-   # CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA" ]
-   # Keep only ECDHE :
-   CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ]
+  [entryPoints.http]
+    address = ":80"
+    [entryPoints.http.redirections.entryPoint]
+      to = "https"
+      scheme = "https"
+  [entryPoints.https]
+    address = ":443"
+    middlewares = ["hardening@file", "compression@file"]
+    [entryPoints.https.tls]
+      certResolver = "letsencrypt"
+      options = "tls12@file"
 
-[acme]
- email = "picasoft@assos.utc.fr"
- storage = "/certs/acme.json"
- entryPoint = "https"
- onHostRule = true
- [acme.httpChallenge]
-  entryPoint = "http"
+
+[providers]
+  providersThrottleDuration = "2s"
+  [providers.docker]
+    watch = true
+    endpoint = "unix:///var/run/docker.sock"
+    swarmMode = false
+    exposedByDefault = false
+  [providers.file]
+    filename = "/etc/traefik/traefik_dynamic.toml"
+    watch = true
+
+[log]
+  level = "INFO"
+
+[certificatesResolvers]
+  [certificatesResolvers.letsencrypt]
+    [certificatesResolvers.letsencrypt.acme]
+      email = "picasoft@assos.utc.fr"
+      storage = "/certs/acme.json"
+      [certificatesResolvers.letsencrypt.acme.httpChallenge]
+        entryPoint = "http"
diff --git a/pica-traefik/traefik_dynamic.toml b/pica-traefik/traefik_dynamic.toml
new file mode 100644
index 0000000..b5fc5d9
--- /dev/null
+++ b/pica-traefik/traefik_dynamic.toml
@@ -0,0 +1,30 @@
+[tls.options]
+  [tls.options.tls12]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256"
+    ]
+    curvePreferences = ["CurveP521","CurveP384"]
+
+[http]
+  [http.middlewares.hardening.headers]
+    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlMaxAge = 100
+    addVaryHeader = true
+    browserXssFilter = true
+    contentTypeNosniff = true
+    forceSTSHeader = true
+    frameDeny = true
+    stsIncludeSubdomains = true
+    stsPreload = true
+    customFrameOptionsValue = "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+    stsSeconds = 315360000
+
+  [http.middlewares.compression.compress]
+    excludedContentTypes = ["text/event-stream"]