demo_ansible/roles/traefik/files/traefik.yml

129 lines
3.5 KiB
YAML

---
# Traefik static config options
# Only loaded on startup!
global:
sendAnonymousUsage: false
#serversTransport:
# insecureSkipVerify: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
file:
filename: "/etc/traefik/traefik.yml"
docker:
watch: true
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: traefik
api:
dashboard: true
metrics:
prometheus: { }
ping: { }
log:
level: WARN
accessLog:
filePath: "/data/logs/access.log"
bufferingSize: 128
certificatesResolvers:
letsencrypt:
acme:
email: "changeme@chaospott.de"
caServer: "https://acme-v02.api.letsencrypt.org/directory"
storage: "/data/acme.json"
keyType: "EC384"
#httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx # more available at: https://doc.traefik.io/traefik/https/acme/#providers
# Checked by traefik before issuing LE, need to be public DNS server!
# Quad9
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
letsencrypt-staging: # this is for testing new services
acme:
email: "changeme@chaospott.de"
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
storage: "/data/acme-staging.json"
keyType: "EC384"
#httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx
# Checked by traefik before issuing LE, need to be public DNS server!
# Quad9
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
###
# Traefik dynamic configuration options
# File is live-reloaded.
# Not all dynamic options can be set via labels. This is why some general, dynamic
# traefik options are configured here instead on labels.
# See also: https://github.com/traefik/traefik/issues/5507
tls:
options:
default:
sniStrict: true
# # Forced TLS v1.3 still causes issues like renovate failing to check our repos
# minVersion: "VersionTLS13"
# # TLS v1.2 Alternative config for more compatibility
minVersion: "VersionTLS12"
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
# global HTTP config
http:
routers:
api:
rule: "Host(`traefik.chaospott.de`)"
service: api@internal
middlewares: [ "dashboard-auth" ]
tls:
certResolver: "letsencrypt"
# generate cert for main domain and wildcard (requires DNS-01)
domains:
- main: "chaospott.de"
- main: "*.chaospott.de"
middlewares:
redirect-to-https:
redirectScheme:
scheme: "https"
hsts-header:
headers:
# HSTSPreload is an initiative that forces browsers to only access a website
# via HTTPS. This implies some requirements. https://hstspreload.org/
customResponseHeaders:
frameDeny: true # forbid embedding into frames
sslRedirect: true
stsSeconds: 3600 # Must be at least 31536000 (1-year) for HSTSPreload
stsPreload: true # HSTSPreload requirement
stsIncludeSubdomains: true # HSTSPreload requirement
browserXssFilter: true
dashboard-auth:
basicauth:
users: "admin:htpasswd-generated-password"