Merge pull request #2 from solution-libre/upgrade-to-traefik-v2

Upgrade to Traefik v2
solution-libre · Jul 15, 2022 · 5526733 · 5526733
2 parents 13245fc + ed8cfbe
commit 5526733
Show file tree

Hide file tree

Showing 11 changed files with 124 additions and 83 deletions.
diff --git a/.env.dist b/.env.dist
@@ -1,2 +1,8 @@
+ACME_DNS_CHALLENGE=false
+ACME_DNS_CHALLENGE_PROVIDER=gandiv5
 ACME_EMAIL=webmaster@my.domain.tld
-DOCKER_DOMAIN=my.domain.tld
+ACME_HTTP_CHALLENGE=false
+ACME_TLS_CHALLENGE=true
+DEFAULT_DOMAIN=my.domain.tld
+HTTP_PORT=80
+HTTPS_PORT=443
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,3 @@
-# This is a basic workflow to help you get started with Actions
-
 name: CI
 
 on: [push, pull_request, workflow_dispatch]

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- markdownlint-configure-file { "MD024": { "allow_different_nesting": true } } -->
 
+## [2.0.0] 2022-07-15
+
+### Added
+
+- Add a default middleware to:
+  - Force Strict-Transport-Security,
+  - Force X-XSS-Protection,
+  - Force X-Content-Type-Options: nosniff.
+- Add [Dependabot](https://github.com/dependabot) in CI.
+
+### Changed
+
+- Upgrade to [Træfik](https://traefik.io/) [v2.8](https://doc.traefik.io/traefik/v2.8/).
+- Set minimum version of TLS to v1.2.
+- Move acme.json to a named volume.
+
 ## [1.3.0] 2021-03-05
 
 ### Added
@@ -41,6 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [Docker Compose](https://docs.docker.com/compose/) setup for starting [Træfik](https://traefik.io/)
 [v1.6](https://doc.traefik.io/traefik/v1.6/) with [Let's Encrypt](https://letsencrypt.org/).
 
+[2.0.0]: https://github.com/solution-libre/docker-traefik/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/solution-libre/docker-traefik/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/solution-libre/docker-traefik/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/solution-libre/docker-traefik/compare/v1.0.0...v1.1.0

diff --git a/NOTICE b/NOTICE
@@ -1,4 +1,4 @@
-Docker Træfik
+Træfik with Docker Compose
 
 Copyright 2018-2021 Solution Libre SAS
 

diff --git a/README.md b/README.md
@@ -44,15 +44,37 @@ docker compose up -d
 
 ### Environment variables
 
+#### `ACME_DNS_CHALLENGE`
+
+Activate DNS-01 Challenge. (Default: `false`)
+
+#### `ACME_DNS_CHALLENGE_PROVIDER`
+
+Use a DNS-01 based challenge provider rather than HTTPs.
+
 #### `ACME_EMAIL`
 
-Email address used for ACME registration. Default value: 'webmaster@my.domain.tld'
+Email address used for ACME registration. (Default: `webmaster@my.domain.tld`)
+
+#### `ACME_HTTP_CHALLENGE`
+
+Activate HTTP-01 Challenge. (Default: `false`)
+
+#### `ACME_TLS_CHALLENGE`
+
+Activate TLS-ALPN-01 Challenge. (Default: `true`)
+
+#### `DEFAULT_DOMAIN`
+
+Default TLS domains. (Default: `my.domain.tld`)
+
+#### `HTTP_PORT`
+
+HTTP listen port. (Default: `80`)
 
-#### `DOCKER_DOMAIN`
+#### `HTTPS_PORT`
 
-Default base domain used for the frontend rules.
-Can be overridden by setting the "traefik.domain" label on a container.
-Default value: 'my.domain.tld'
+HTTPs listen port. (Default: `443`)
 
 ## Development
 

diff --git a/config/middleware.toml b/config/middleware.toml
@@ -0,0 +1,7 @@
+[http.middlewares.default.headers]
+  browserXssFilter = true
+  contentTypeNosniff = true
+  frameDeny = false
+  stsIncludeSubdomains = true
+  stsSeconds = 315360000
+  stsPreload = true
diff --git a/config/tls.toml b/config/tls.toml
@@ -0,0 +1,20 @@
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_256_CBC_SHA"
+    ]
+    curvePreferences = [
+      "CurveP521",
+      "CurveP384"
+    ]
+    minVersion = "VersionTLS12"
+    preferServerCipherSuites = true
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,22 +2,52 @@ version: '3.3'
 
 services:
   traefik:
-    image: traefik:1.7-alpine
+    image: traefik:v2.8
     restart: always
-    command: --acme.email=${ACME_EMAIL} --docker.domain=${DOCKER_DOMAIN}
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.network=web
+      - --providers.file.directory=/etc/traefik
+      - --providers.file.watch=true
+      - --entrypoints.web.address=:${HTTP_PORT}
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --entrypoints.websecure.address=:${HTTPS_PORT}
+      - --entrypoints.websecure.http.middlewares=default@file
+      - --entrypoints.websecure.http.tls.domains=${DEFAULT_DOMAIN}
+      - --entrypoints.websecure.http.tls.options=default@file
+      - --certificatesresolvers.myresolver.acme.dnschallenge=${ACME_DNS_CHALLENGE}
+      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=${ACME_DNS_CHALLENGE_PROVIDER}
+      - --certificatesresolvers.myresolver.acme.httpchallenge=${ACME_HTTP_CHALLENGE}
+      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
+      - --certificatesresolvers.myresolver.acme.tlschallenge=${ACME_TLS_CHALLENGE}
+      - --certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}
+      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
+      # Enable API
+      #- --api
+      #- --api.insecure=true
+      # Optionally uncomment the following lines if you want to test/debug:
+      #- --log.level=DEBUG
+      #- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+      # Controls whether the server's certificate chain and host name is verified
+      #- --serverstransport.insecureskipverify=true
     ports:
-      - 80:80
-      - 443:443
+      - ${HTTP_PORT}:${HTTP_PORT}
+      - ${HTTPS_PORT}:${HTTPS_PORT}
+      # Enable API
       #- 8080:8080
     networks:
       - web
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./traefik.toml:/traefik.toml
-      - ./acme.json:/acme.json
-      - ./log:/log
+      - ./config:/etc/traefik:ro
+      - letsencrypt:/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock:ro
     container_name: traefik
 
 networks:
   web:
     external: true
+
+volumes:
+  letsencrypt:
diff --git a/docker-volumes/letsencrypt b/docker-volumes/letsencrypt
@@ -0,0 +1 @@
+/var/lib/docker/volumes/traefik_letsencrypt/_data/
diff --git a/traefik.toml b/traefik.toml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		/var/lib/docker/volumes/traefik_letsencrypt/_data/