Traefik
Traefik Doc: https://doc.traefik.io/traefik/routing/providers/docker/
Config acme.json - Setup
docker network create zabra # will be used by traefik and all containers behind it
touch acme.json
chmod 600 acme.json
touch /var/log/traefik-access.log
# Create user/password for traefik GUI basic authentification
# And store the value in variable CREDS=myser:$$xyxxx in .env file
# Sed command is used to double all $ for escaping
echo $(htpasswd -nB $USER) | sed -e s/\\$/\\$\\$/g
Create
traefik.tomlfile with Let's Encrypt as certificate resolver.
traefik.toml
[api]
dashboard = true
# insecure = true ## using https
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "default"
[accessLog]
filePath = "/var/log/access.log"
format = "json"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
usersFile = "/usersfile"
[providers]
[providers.docker]
watch = true
exposedByDefault = false
network = "zabra"
[providers.file]
filename = "/etc/traefik/tls_config.toml" # For TLS Hardening
[certificatesResolvers.letsencrypt.acme]
email = "user@email"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
TLS Hardening
Traefik TLS Hardening to not support TLS 1.0, TLS 1.1 and enforce some ciphers.
tls_config.toml
# https://doc.traefik.io/traefik/https/tls/
# check results : nmap -Pn --script ssl-enum-ciphers -p 443 doc.enoks.fr or https://www.ssllabs.com/ssltest/analyze.html
[tls.options]
[tls.options.default]
sniStrict = true
curvePreferences = ["CurveP521", "CurveP384"]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[tls.options.mintls13]
minVersion = "VersionTLS13"
???+ example "docker-compose.yml with the tls config
# Adapt traefik_url
version: "3.3"
networks:
zabra:
external: true
services:
traefik:
image: "traefik:v2.9"
container_name: "traefik"
hostname: "traefik"
restart: always
networks:
- zabra
labels:
# dashboard access without port 8080
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik_url`)"
- "traefik.http.routers.api.service=api@internal"
# https
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
# auth
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=${CREDS}"
# Enforce HSTS (HTTP Strict Transport Security) & STS Headers for the UI.
- "traefik.http.middlewares.servicests.headers.stsseconds=31536000"
- "traefik.http.middlewares.servicests.headers.stspreload=true"
- "traefik.http.middlewares.servicests.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.servicests.headers.isdevelopment=false"
# Disable STS service for traefik dashboard as it prevents basic HTTP authentification to work
# Need to check if there is an option to enable the both to work as the same time
# - "traefik.http.routers.api.middlewares=servicests"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.toml:/etc/traefik/traefik.toml
# Mount TLS config
- ./tls_config.toml:/etc/traefik/tls_config.toml
- ./acme.json:/acme.json
- /var/log/traefik-access.log:/var/log/access.log