traefik: harden websecure defaults (crowdsec, headers, tls12)

2026-02-07 02:15:13 +08:00
parent 2d7c788202
commit dc2c7f46ae
10 changed files with 90 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -25,5 +25,8 @@ node_modules/
 # Ignore generated secrets
 dynamic.d/middlewares/crowdsec.yml

+# Local secrets directory (htpasswd, etc.)
+secrets/
+
 # Ignore backup files
 *.~*    
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ labels:
  - traefik.http.routers.myapp.rule=Host(`app.example.com`)
  - traefik.http.routers.myapp.entrypoints=websecure
  - traefik.http.routers.myapp.tls.certresolver=letsencrypt
-  - traefik.http.routers.myapp.middlewares=crowdsec@file,retry-fast@file,compress-middleware@file
+  - traefik.http.routers.myapp.middlewares=myapp-custom@docker
  - traefik.http.services.myapp.loadbalancer.serversTransport=fast-upstreams@file
  - traefik.http.services.myapp.loadbalancer.server.port=3000
  - traefik.docker.network=traefik_default
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -16,6 +16,7 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./certs:/letsencrypt
+      - ./secrets:/secrets:ro
      #- ./dashboard_authfile:/dashboard_authfile:ro
      - ./dynamic.d:/dynamic.d
      - ./traefik.yml:/traefik.yml
@@ -30,6 +31,11 @@ services:
      - "traefik.http.routers.traefik.entrypoints=internal_websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
+      # CrowdSec bouncer middleware (defined via Docker provider so the LAPI key isn't stored in git-tracked files).
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=stream"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiHost=localhost:8080"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiKey=${CROWDSEC_LAPI_KEY}"
      - "com.centurylinklabs.watchtower.enable=true" # Added label for Watchtower
      # "traefik.http.middlewares.auth.basicauth.usersfile=/dashboard_authfile"
      - "traefik.http.services.traefik.loadbalancer.server.port=9090"
--- a/dynamic.d/middlewares/label-auth.yml
+++ b/dynamic.d/middlewares/label-auth.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    label-auth:
+      basicAuth:
+        # Keep actual user hashes out of git.
+        usersFile: /secrets/label.htpasswd
--- a/dynamic.d/middlewares/secure-headers.yml
+++ b/dynamic.d/middlewares/secure-headers.yml
@@ -0,0 +1,12 @@
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        contentTypeNosniff: true
+        frameDeny: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        # Intentionally no HSTS (per requirement).
+        customResponseHeaders:
+          server: ""
+          x-powered-by: ""
+
--- a/dynamic.d/routers/label.yml
+++ b/dynamic.d/routers/label.yml
@@ -0,0 +1,18 @@
+http:
+  routers:
+    label:
+      rule: Host(`label.gbanyan.net`)
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - label-auth
+      service: label
+
+  services:
+    label:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://127.0.0.1:5004"
--- a/dynamic.d/routers/usher.yml
+++ b/dynamic.d/routers/usher.yml
@@ -0,0 +1,16 @@
+http:
+  routers:
+    usher:
+      rule: Host(`member.usher.org.tw`)
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: usher
+
+  services:
+    usher:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://10.0.0.225:8000"
--- a/dynamic.d/tls/options.yml
+++ b/dynamic.d/tls/options.yml
@@ -0,0 +1,5 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+
--- a/dynamic.d/transports/fast-upstreams.yml
+++ b/dynamic.d/transports/fast-upstreams.yml
@@ -5,3 +5,8 @@ http:
      forwardingTimeouts:
        idleConnTimeout: 30s
        responseHeaderTimeout: 15s
+    gitea-upstreams:
+      maxIdleConnsPerHost: 64
+      forwardingTimeouts:
+        idleConnTimeout: 10m
+        responseHeaderTimeout: 10m
--- a/traefik.yml
+++ b/traefik.yml
@@ -59,8 +59,14 @@ entryPoints:
        entryPoint:
          to: "websecure"                         # The target element
          scheme: "https"
+          permanent: true
  websecure:
    address: "10.0.0.225:443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 10m
+        writeTimeout: 10m
+        idleTimeout: 10m
    forwardedHeaders:
      trustedIPs:
        - "173.245.48.0/20"
@@ -85,6 +91,12 @@ entryPoints:
        - "2405:8100::/32"
        - "2a06:98c0::/29"
        - "2c0f:f248::/32"
+    http:
+      middlewares:
+        - crowdsec@docker
+        - secure-headers@file
+        - compress-middleware@file
+        - retry-fast@file
  internal_web:
    address: "192.168.50.4:80"
    http:
@@ -92,8 +104,14 @@ entryPoints:
          entryPoint:
            to: "internal_websecure"                         # The target element
            scheme: "https"
+            permanent: true
  internal_websecure:
    address: "192.168.50.4:443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 10m
+        writeTimeout: 10m
+        idleTimeout: 10m
  metrics:
    address: ":8082"
  dashboard: