Skip to content

Commit

Permalink
```
Browse files Browse the repository at this point in the history 
Revise Traefik configuration for improved security

Commented out insecure API settings and employed HTTP challenge for certificate resolution using Let's Encrypt. Updated entry point names for clarity and reorganized volume mappings for better structure. Introduced a new 'whoami' service as a simple demonstration app. Ensured API exposure defaults to false to avoid unintended access issues.
```
  • Loading branch information
@yousecjoe
yousecjoe committed Oct 7, 2024
1 parent 76d6a11 commit f037e54
Show file tree
Hide file tree
Showing 4 changed files with 98 additions and 44 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,3 +490,4 @@ src/docker/containers/bind9/ns1*
src/docker/containers/traefik/.env
src/docker/containers/traefik/cf_api_token.txt
src/docker/containers/traefik/data/.env
src/docker/containers/traefik/data/letsencrypt/acme.json
Empty file removed src/docker/containers/traefik/data/acme.json
View file
Empty file.
85 changes: 56 additions & 29 deletions src/docker/containers/traefik/data/traefik.yml
View file
Original file line number Diff line number Diff line change
@@ -1,36 +1,63 @@
api:
dashboard: true
insecure: true
debug: true
#api:
# dashboard: true
# insecure: true
# debug: true
entryPoints:
http:
web:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:

websecure:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
# file:
# filename: /config.yml

certificatesResolvers:
cloudflare:
myresolver:
acme:
email: "${CLOUDFLARE_EMAIL}"
storage: acme.json
email: "${EMAIL}"
storage: /letsencrypt/acme.json
httpChallenge:
# used during the challenge
entryPoint: web

http:
routers:
blog:
rule: "Host(`home.youngsecurity.net`) && Path(`/`)"
tls:
certResolver: myresolver
#entryPoints:
# web:
# address: ":80"
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
# websecure:
# address: ":443"
#serversTransport:
# insecureSkipVerify: true
#providers:
# docker:
# endpoint: "unix:///var/run/docker.sock"
# exposedByDefault: false
# file:
# filename: /config.yml
#certificatesResolvers:
# youngsecurity:
# acme:
# email: "${EMAIL}"
# storage: /letsencrypt/acme.json

# cloudflare:
# acme:
# email: "${CLOUDFLARE_EMAIL}"
# storage: /letsencrypt/acme.json
# caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: ${DNS_CHALLENGE_PROVIDER}
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
# dnsChallenge:
# provider: ${DNS_CHALLENGE_PROVIDER}
# disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
#delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "${DNS_CHALLENGE_RESOLVERS_0}"
- "${DNS_CHALLENGE_RESOLVERS_1}"
# resolvers:
# - "${DNS_CHALLENGE_RESOLVERS_0}"
# - "${DNS_CHALLENGE_RESOLVERS_1}"
56 changes: 41 additions & 15 deletions src/docker/containers/traefik/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,29 @@ services:
#image: cgr.dev/chainguard/traefik:latest
image: traefik:v3.2
container_name: traefik
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
#- "--entryPoints.web.address=:80"
#- "--entryPoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
#- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
#- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80" # For HTTP (usually serves HTTP/1.1 traffic)
- "8080:8080" # Web UI
- "443:443"
- "443:443/tcp" # For HTTPS (HTTP/2 or fallback to HTTP/1.1 via TLS over TCP)
- "443:443/udp" # For HTTP/3 (which runs over QUIC using UDP)
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
macvlan255:
ipv4_address: 10.0.255.8
ports:
- 80:80 # For HTTP (usually serves HTTP/1.1 traffic)
- 8080:8080 # Web UI
- 443:443/tcp # For HTTPS (HTTP/2 or fallback to HTTP/1.1 via TLS over TCP)
- 443:443/udp # For HTTP/3 (which runs over QUIC using UDP)
environment:
#CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
Expand All @@ -22,29 +34,43 @@ services:
- cf_api_token
env_file: .env # use .env
volumes:
- /etc/localtime:/etc/localtime:ro
#- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
# - ./data/config.yml:/config.yml:ro
#user: "${RUNAS_USER_AND_GROUP}"
#- ./data/traefik.yml:/etc/traefik/traefik.yml:ro
- ./data/letsencrypt:/letsencrypt
# - ./data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_RULE}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_RULE}"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
#- "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
#- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
- "traefik.http.routers.traefik-secure.service=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_SERVICE}"

whoami:
image: "traefik/whoami"
container_name: "simple-service"
networks:
macvlan255:
labels:
- "traefik.enable=true"
#- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.home.youngsecurity.net`)"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"

secrets:
cf_api_token:
file: ./cf_api_token.txt
Expand Down

0 comments on commit f037e54

Please sign in to comment.