traefik: harden websecure defaults (crowdsec, headers, tls12)

dynamic.d/middlewares/label-auth.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    label-auth:
+      basicAuth:
+        # Keep actual user hashes out of git.
+        usersFile: /secrets/label.htpasswd

dynamic.d/middlewares/secure-headers.yml

@@ -0,0 +1,12 @@
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        contentTypeNosniff: true
+        frameDeny: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        # Intentionally no HSTS (per requirement).
+        customResponseHeaders:
+          server: ""
+          x-powered-by: ""
+

dynamic.d/routers/label.yml

@@ -0,0 +1,18 @@
+http:
+  routers:
+    label:
+      rule: Host(`label.gbanyan.net`)
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - label-auth
+      service: label
+
+  services:
+    label:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://127.0.0.1:5004"

dynamic.d/routers/usher.yml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    usher:
+      rule: Host(`member.usher.org.tw`)
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: usher
+
+  services:
+    usher:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://10.0.0.225:8000"

dynamic.d/tls/options.yml

@@ -0,0 +1,5 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+

dynamic.d/transports/fast-upstreams.yml

@@ -5,3 +5,8 @@ http:
       forwardingTimeouts:
         idleConnTimeout: 30s
         responseHeaderTimeout: 15s
+    gitea-upstreams:
+      maxIdleConnsPerHost: 64
+      forwardingTimeouts:
+        idleConnTimeout: 10m
+        responseHeaderTimeout: 10m