traefik: harden websecure defaults (crowdsec, headers, tls12)

2026-02-07 02:15:13 +08:00
parent 2d7c788202
commit dc2c7f46ae
10 changed files with 90 additions and 1 deletions
--- a/traefik.yml
+++ b/traefik.yml
@@ -59,8 +59,14 @@ entryPoints:
        entryPoint:
          to: "websecure"                         # The target element
          scheme: "https"
+          permanent: true
  websecure:
    address: "10.0.0.225:443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 10m
+        writeTimeout: 10m
+        idleTimeout: 10m
    forwardedHeaders:
      trustedIPs:
        - "173.245.48.0/20"
@@ -85,6 +91,12 @@ entryPoints:
        - "2405:8100::/32"
        - "2a06:98c0::/29"
        - "2c0f:f248::/32"
+    http:
+      middlewares:
+        - crowdsec@docker
+        - secure-headers@file
+        - compress-middleware@file
+        - retry-fast@file
  internal_web:
    address: "192.168.50.4:80"
    http:
@@ -92,8 +104,14 @@ entryPoints:
          entryPoint:
            to: "internal_websecure"                         # The target element
            scheme: "https"
+            permanent: true
  internal_websecure:
    address: "192.168.50.4:443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 10m
+        writeTimeout: 10m
+        idleTimeout: 10m
  metrics:
    address: ":8082"
  dashboard: