From f037e54a3558b500c8763e9d6876c03cde3c3ce5 Mon Sep 17 00:00:00 2001
From: Joseph Young <130690493+yousecjoe@users.noreply.github.com>
Date: Mon, 7 Oct 2024 11:49:35 -0400
Subject: [PATCH] ``` Revise Traefik configuration for improved security

Commented out insecure API settings and employed HTTP challenge for certificate resolution using Let's Encrypt. Updated entry point names for clarity and reorganized volume mappings for better structure. Introduced a new 'whoami' service as a simple demonstration app. Ensured API exposure defaults to false to avoid unintended access issues.
```
---
 .gitignore                                    |  1 +
 src/docker/containers/traefik/data/acme.json  |  0
 .../containers/traefik/data/traefik.yml       | 85 ++++++++++++-------
 .../containers/traefik/docker-compose.yml     | 56 ++++++++----
 4 files changed, 98 insertions(+), 44 deletions(-)
 delete mode 100644 src/docker/containers/traefik/data/acme.json

diff --git a/.gitignore b/.gitignore
index 9be6841..62c9237 100644
--- a/.gitignore
+++ b/.gitignore
@@ -490,3 +490,4 @@ src/docker/containers/bind9/ns1*
 src/docker/containers/traefik/.env
 src/docker/containers/traefik/cf_api_token.txt
 src/docker/containers/traefik/data/.env
+src/docker/containers/traefik/data/letsencrypt/acme.json
diff --git a/src/docker/containers/traefik/data/acme.json b/src/docker/containers/traefik/data/acme.json
deleted file mode 100644
index e69de29..0000000
diff --git a/src/docker/containers/traefik/data/traefik.yml b/src/docker/containers/traefik/data/traefik.yml
index fcfab1a..4317a75 100644
--- a/src/docker/containers/traefik/data/traefik.yml
+++ b/src/docker/containers/traefik/data/traefik.yml
@@ -1,36 +1,63 @@
-api:
-  dashboard: true
-  insecure: true
-  debug: true
+#api:
+#  dashboard: true
+#  insecure: true
+#  debug: true
 entryPoints:
-  http:
+  web:
     address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: https
-          scheme: https
-  https:
+
+  websecure:
     address: ":443"
-serversTransport:
-  insecureSkipVerify: true
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-  # file:
-  #   filename: /config.yml
+
 certificatesResolvers:
-  cloudflare:
+  myresolver:
     acme:
-      email: "${CLOUDFLARE_EMAIL}"
-      storage: acme.json
+      email: "${EMAIL}"
+      storage: /letsencrypt/acme.json
+      httpChallenge:
+        # used during the challenge
+        entryPoint: web
+
+http:
+  routers:
+    blog:
+      rule: "Host(`home.youngsecurity.net`) && Path(`/`)"
+      tls:
+        certResolver: myresolver
+#entryPoints:
+#  web:
+#    address: ":80"
+#    http:
+#      redirections:
+#        entryPoint:
+#          to: websecure
+#          scheme: https
+#  websecure:
+#    address: ":443"
+#serversTransport:
+#  insecureSkipVerify: true
+#providers:
+#  docker:
+#    endpoint: "unix:///var/run/docker.sock"
+#    exposedByDefault: false
+  # file:
+  #   filename: /config.yml
+#certificatesResolvers:
+#  youngsecurity:
+#    acme:
+#      email: "${EMAIL}"
+#      storage: /letsencrypt/acme.json
+      
+#  cloudflare:
+#    acme:
+#      email: "${CLOUDFLARE_EMAIL}"
+#      storage: /letsencrypt/acme.json
       # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
-      dnsChallenge:
-        provider: ${DNS_CHALLENGE_PROVIDER}
-        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging      
+#      dnsChallenge:
+#        provider: ${DNS_CHALLENGE_PROVIDER}
+#        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
         #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
-        resolvers:
-          - "${DNS_CHALLENGE_RESOLVERS_0}"
-          - "${DNS_CHALLENGE_RESOLVERS_1}"
\ No newline at end of file
+#        resolvers:
+#          - "${DNS_CHALLENGE_RESOLVERS_0}"
+#          - "${DNS_CHALLENGE_RESOLVERS_1}"
\ No newline at end of file
diff --git a/src/docker/containers/traefik/docker-compose.yml b/src/docker/containers/traefik/docker-compose.yml
index 9ba93a7..6960432 100644
--- a/src/docker/containers/traefik/docker-compose.yml
+++ b/src/docker/containers/traefik/docker-compose.yml
@@ -3,17 +3,29 @@ services:
     #image: cgr.dev/chainguard/traefik:latest
     image: traefik:v3.2
     container_name: traefik
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      #- "--entryPoints.web.address=:80"
+      #- "--entryPoints.websecure.address=:443"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
+      #- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"      
+    ports:
+      - "80:80"       # For HTTP (usually serves HTTP/1.1 traffic) 
+      - "8080:8080"   # Web UI
+      - "443:443"
+      - "443:443/tcp" # For HTTPS (HTTP/2 or fallback to HTTP/1.1 via TLS over TCP)
+      - "443:443/udp" # For HTTP/3 (which runs over QUIC using UDP)
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     networks:
       macvlan255:
         ipv4_address: 10.0.255.8
-    ports:
-      - 80:80       # For HTTP (usually serves HTTP/1.1 traffic) 
-      - 8080:8080   # Web UI     
-      - 443:443/tcp # For HTTPS (HTTP/2 or fallback to HTTP/1.1 via TLS over TCP)
-      - 443:443/udp # For HTTP/3 (which runs over QUIC using UDP)
     environment:
       #CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
       CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
@@ -22,29 +34,43 @@ services:
       - cf_api_token
     env_file: .env # use .env
     volumes:
-      - /etc/localtime:/etc/localtime:ro
+      #- /etc/localtime:/etc/localtime:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./data/traefik.yml:/traefik.yml:ro
-      - ./data/acme.json:/acme.json
-      # - ./data/config.yml:/config.yml:ro
-    #user: "${RUNAS_USER_AND_GROUP}"
+      #- ./data/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./data/letsencrypt:/letsencrypt
+      # - ./data/config.yml:/config.yml:ro    
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.entrypoints=web"
       - "traefik.http.routers.traefik.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_RULE}"
       - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
       - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
       - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
       - "traefik.http.routers.traefik-secure.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_RULE}"
       - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
       - "traefik.http.routers.traefik-secure.tls=true"
-      - "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
-      - "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
-      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
+      #- "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
+      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+      - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
+      - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
+      #- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
       - "traefik.http.routers.traefik-secure.service=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_SERVICE}"
 
+  whoami:
+    image: "traefik/whoami"
+    container_name: "simple-service"
+    networks:
+      macvlan255:
+    labels:
+      - "traefik.enable=true"
+      #- "traefik.http.routers.whoami.entrypoints=web"
+      - "traefik.http.routers.whoami.entrypoints=websecure"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.home.youngsecurity.net`)"
+      - "traefik.http.routers.whoami.tls=true"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"      
+
 secrets:
   cf_api_token:
     file: ./cf_api_token.txt