[Traefik] Try to migrate to v2

See https://wiki.picasoft.net/doku.php\?id\=technique:adminsys:migration-traefik-v2

pica-traefik/docker-compose.yml

@@ -2,17 +2,15 @@ version: '3.7'
 
 services:
   traefik:
+    image: traefik:2.3
     container_name: traefik
-  # DO NOT UPGRADE
-  # SEE THIS BEFORE AND DISCUSS : https://team.picasoft.net/picasoft/pl/66aorsxhtffrjytyhnecn436wa
-  image: traefik:1.6.6
     ports:
-    - "80:80"
-    # Uncomment to expose the web interface. Warning : do not use without setting a password in traefik.toml
-    #- "8080:8080"
-    - "443:443"
+      - 80:80
+      - 443:443
     volumes:
+      - /etc/localtime:/etc/localtime:ro
       - /var/run/docker.sock:/var/run/docker.sock
       - ./traefik.toml:/traefik.toml
+      - ./traefik_dynamic.toml:/traefik_dynamic.toml
       - /DATA/docker/traefik/certs:/certs
-  restart: always
+    restart: unless-stopped

pica-traefik/traefik.toml

@@ -1,35 +1,39 @@
-logLevel = "INFO"
-debug = true
-defaultEntryPoints = ["http", "https"]
-
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-watch = true
-exposedbydefault = false
-
-[api]
+[global]
+  sendAnonymousUsage = true
+  checkNewVersion = true
 
 [entryPoints]
   [entryPoints.http]
     address = ":80"
-  compress = false
-  [entryPoints.http.redirect]
-   entryPoint = "https"
+    [entryPoints.http.redirections.entryPoint]
+      to = "https"
+      scheme = "https"
   [entryPoints.https]
     address = ":443"
-  compress = false
+    middlewares = ["hardening@file", "compression@file"]
     [entryPoints.https.tls]
-   # Accept only TLS1.1 and 1.2
-   MinVersion = "VersionTLS11"
-   # Accept all ciphers excepting TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA
-   # CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA" ]
-   # Keep only ECDHE :
-   CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ]
+      certResolver = "letsencrypt"
+      options = "tls12@file"
 
-[acme]
+
+[providers]
+  providersThrottleDuration = "2s"
+  [providers.docker]
+    watch = true
+    endpoint = "unix:///var/run/docker.sock"
+    swarmMode = false
+    exposedByDefault = false
+  [providers.file]
+    filename = "/etc/traefik/traefik_dynamic.toml"
+    watch = true
+
+[log]
+  level = "INFO"
+
+[certificatesResolvers]
+  [certificatesResolvers.letsencrypt]
+    [certificatesResolvers.letsencrypt.acme]
       email = "picasoft@assos.utc.fr"
       storage = "/certs/acme.json"
- entryPoint = "https"
- onHostRule = true
- [acme.httpChallenge]
+      [certificatesResolvers.letsencrypt.acme.httpChallenge]
         entryPoint = "http"

pica-traefik/traefik_dynamic.toml

@@ -0,0 +1,30 @@
+[tls.options]
+  [tls.options.tls12]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256"
+    ]
+    curvePreferences = ["CurveP521","CurveP384"]
+
+[http]
+  [http.middlewares.hardening.headers]
+    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlMaxAge = 100
+    addVaryHeader = true
+    browserXssFilter = true
+    contentTypeNosniff = true
+    forceSTSHeader = true
+    frameDeny = true
+    stsIncludeSubdomains = true
+    stsPreload = true
+    customFrameOptionsValue = "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+    stsSeconds = 315360000
+
+  [http.middlewares.compression.compress]
+    excludedContentTypes = ["text/event-stream"]