[Traefik] Try to migrate to v2
See https://wiki.picasoft.net/doku.php\?id\=technique:adminsys:migration-traefik-v2
This commit is contained in:
parent
143831def9
commit
cf9754c3b3
|
@ -2,17 +2,15 @@ version: '3.7'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
|
image: traefik:2.3
|
||||||
container_name: traefik
|
container_name: traefik
|
||||||
# DO NOT UPGRADE
|
|
||||||
# SEE THIS BEFORE AND DISCUSS : https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa
|
|
||||||
image: traefik:1.6.6
|
|
||||||
ports:
|
ports:
|
||||||
- "80:80"
|
- 80:80
|
||||||
# Uncomment to expose the web interface. Warning : do not use without setting a password in traefik.toml
|
- 443:443
|
||||||
#- "8080:8080"
|
|
||||||
- "443:443"
|
|
||||||
volumes:
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
- ./traefik.toml:/traefik.toml
|
- ./traefik.toml:/traefik.toml
|
||||||
|
- ./traefik_dynamic.toml:/traefik_dynamic.toml
|
||||||
- /DATA/docker/traefik/certs:/certs
|
- /DATA/docker/traefik/certs:/certs
|
||||||
restart: always
|
restart: unless-stopped
|
||||||
|
|
|
@ -1,35 +1,39 @@
|
||||||
logLevel = "INFO"
|
[global]
|
||||||
debug = true
|
sendAnonymousUsage = true
|
||||||
defaultEntryPoints = ["http", "https"]
|
checkNewVersion = true
|
||||||
|
|
||||||
[docker]
|
|
||||||
endpoint = "unix:///var/run/docker.sock"
|
|
||||||
watch = true
|
|
||||||
exposedbydefault = false
|
|
||||||
|
|
||||||
[api]
|
|
||||||
|
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.http]
|
[entryPoints.http]
|
||||||
address = ":80"
|
address = ":80"
|
||||||
compress = false
|
[entryPoints.http.redirections.entryPoint]
|
||||||
[entryPoints.http.redirect]
|
to = "https"
|
||||||
entryPoint = "https"
|
scheme = "https"
|
||||||
[entryPoints.https]
|
[entryPoints.https]
|
||||||
address = ":443"
|
address = ":443"
|
||||||
compress = false
|
middlewares = ["hardening@file", "compression@file"]
|
||||||
[entryPoints.https.tls]
|
[entryPoints.https.tls]
|
||||||
# Accept only TLS1.1 and 1.2
|
certResolver = "letsencrypt"
|
||||||
MinVersion = "VersionTLS11"
|
options = "tls12@file"
|
||||||
# Accept all ciphers excepting TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
||||||
# CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA" ]
|
|
||||||
# Keep only ECDHE :
|
|
||||||
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
|
[providers]
|
||||||
|
providersThrottleDuration = "2s"
|
||||||
|
[providers.docker]
|
||||||
|
watch = true
|
||||||
|
endpoint = "unix:///var/run/docker.sock"
|
||||||
|
swarmMode = false
|
||||||
|
exposedByDefault = false
|
||||||
|
[providers.file]
|
||||||
|
filename = "/etc/traefik/traefik_dynamic.toml"
|
||||||
|
watch = true
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "INFO"
|
||||||
|
|
||||||
|
[certificatesResolvers]
|
||||||
|
[certificatesResolvers.letsencrypt]
|
||||||
|
[certificatesResolvers.letsencrypt.acme]
|
||||||
email = "picasoft@assos.utc.fr"
|
email = "picasoft@assos.utc.fr"
|
||||||
storage = "/certs/acme.json"
|
storage = "/certs/acme.json"
|
||||||
entryPoint = "https"
|
[certificatesResolvers.letsencrypt.acme.httpChallenge]
|
||||||
onHostRule = true
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
entryPoint = "http"
|
||||||
|
|
30
pica-traefik/traefik_dynamic.toml
Normal file
30
pica-traefik/traefik_dynamic.toml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
[tls.options]
|
||||||
|
[tls.options.tls12]
|
||||||
|
minVersion = "VersionTLS12"
|
||||||
|
cipherSuites = [
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_AES_256_GCM_SHA384",
|
||||||
|
"TLS_CHACHA20_POLY1305_SHA256"
|
||||||
|
]
|
||||||
|
curvePreferences = ["CurveP521","CurveP384"]
|
||||||
|
|
||||||
|
[http]
|
||||||
|
[http.middlewares.hardening.headers]
|
||||||
|
accessControlAllowOrigin = "origin-list-or-null"
|
||||||
|
accessControlMaxAge = 100
|
||||||
|
addVaryHeader = true
|
||||||
|
browserXssFilter = true
|
||||||
|
contentTypeNosniff = true
|
||||||
|
forceSTSHeader = true
|
||||||
|
frameDeny = true
|
||||||
|
stsIncludeSubdomains = true
|
||||||
|
stsPreload = true
|
||||||
|
customFrameOptionsValue = "SAMEORIGIN"
|
||||||
|
referrerPolicy = "same-origin"
|
||||||
|
featurePolicy = "vibrate 'self'"
|
||||||
|
stsSeconds = 315360000
|
||||||
|
|
||||||
|
[http.middlewares.compression.compress]
|
||||||
|
excludedContentTypes = ["text/event-stream"]
|
Loading…
Reference in New Issue
Block a user