[Traefik] Try to migrate to v2

See https://wiki.picasoft.net/doku.php\?id\=technique:adminsys:migration-traefik-v2

pica-traefik/docker-compose.yml

@@ -2,17 +2,15 @@ version: '3.7'
 
 services:
   traefik:
-  container_name: traefik
+    image: traefik:2.3
-  # DO NOT UPGRADE
+    container_name: traefik
-  # SEE THIS BEFORE AND DISCUSS : https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa
+    ports:
-  image: traefik:1.6.6
+      - 80:80
-  ports:
+      - 443:443
-    - "80:80"
+    volumes:
-    # Uncomment to expose the web interface. Warning : do not use without setting a password in traefik.toml
+      - /etc/localtime:/etc/localtime:ro
-    #- "8080:8080"
+      - /var/run/docker.sock:/var/run/docker.sock
-    - "443:443"
+      - ./traefik.toml:/traefik.toml
-  volumes:
+      - ./traefik_dynamic.toml:/traefik_dynamic.toml
-    - /var/run/docker.sock:/var/run/docker.sock
+      - /DATA/docker/traefik/certs:/certs
-    - ./traefik.toml:/traefik.toml
+    restart: unless-stopped
-    - /DATA/docker/traefik/certs:/certs
-  restart: always

pica-traefik/traefik.toml

@@ -1,35 +1,39 @@
-logLevel = "INFO"
+[global]
-debug = true
+  sendAnonymousUsage = true
-defaultEntryPoints = ["http", "https"]
+  checkNewVersion = true
-
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-watch = true
-exposedbydefault = false
-
-[api]
 
 [entryPoints]
- [entryPoints.http]
+  [entryPoints.http]
-  address = ":80"
+    address = ":80"
-  compress = false
+    [entryPoints.http.redirections.entryPoint]
-  [entryPoints.http.redirect]
+      to = "https"
-   entryPoint = "https"
+      scheme = "https"
- [entryPoints.https]
+  [entryPoints.https]
-  address = ":443"
+    address = ":443"
-  compress = false
+    middlewares = ["hardening@file", "compression@file"]
-  [entryPoints.https.tls]
+    [entryPoints.https.tls]
-   # Accept only TLS1.1 and 1.2
+      certResolver = "letsencrypt"
-   MinVersion = "VersionTLS11"
+      options = "tls12@file"
-   # Accept all ciphers excepting TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA
-   # CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA" ]
-   # Keep only ECDHE :
-   CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ]
 
-[acme]
+
- email = "picasoft@assos.utc.fr"
+[providers]
- storage = "/certs/acme.json"
+  providersThrottleDuration = "2s"
- entryPoint = "https"
+  [providers.docker]
- onHostRule = true
+    watch = true
- [acme.httpChallenge]
+    endpoint = "unix:///var/run/docker.sock"
-  entryPoint = "http"
+    swarmMode = false
+    exposedByDefault = false
+  [providers.file]
+    filename = "/etc/traefik/traefik_dynamic.toml"
+    watch = true
+
+[log]
+  level = "INFO"
+
+[certificatesResolvers]
+  [certificatesResolvers.letsencrypt]
+    [certificatesResolvers.letsencrypt.acme]
+      email = "picasoft@assos.utc.fr"
+      storage = "/certs/acme.json"
+      [certificatesResolvers.letsencrypt.acme.httpChallenge]
+        entryPoint = "http"

pica-traefik/traefik_dynamic.toml

@@ -0,0 +1,30 @@
+[tls.options]
+  [tls.options.tls12]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256"
+    ]
+    curvePreferences = ["CurveP521","CurveP384"]
+
+[http]
+  [http.middlewares.hardening.headers]
+    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlMaxAge = 100
+    addVaryHeader = true
+    browserXssFilter = true
+    contentTypeNosniff = true
+    forceSTSHeader = true
+    frameDeny = true
+    stsIncludeSubdomains = true
+    stsPreload = true
+    customFrameOptionsValue = "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+    stsSeconds = 315360000
+
+  [http.middlewares.compression.compress]
+    excludedContentTypes = ["text/event-stream"]