Add security headers and tighten tls requirements.

2022-11-14 14:18:44 -08:00 · 2022-11-14 14:18:44 -08:00 · 59e2411528
commit 59e2411528
parent d52115d114
11 changed files with 24 additions and 2 deletions
--- a/jafner-tools/config/5etools/docker-compose.yml
+++ b/jafner-tools/config/5etools/docker-compose.yml
@ -14,6 +14,8 @@ services:
    labels:
      - traefik.http.routers.5etools.rule=Host(`5e.jafner.tools`)
      - traefik.http.routers.5etools.tls.certresolver=lets-encrypt
+      - traefik.http.routers.5etools.tls.options=tls12@file
+      - traefik.http.routers.5etools.middlewares=securityheaders@file

 networks:
  web:
--- a/jafner-tools/config/joplin/docker-compose.yml
+++ b/jafner-tools/config/joplin/docker-compose.yml
@ -14,7 +14,8 @@ services:
    labels:
      - traefik.http.routers.joplin.rule=Host(`joplin.jafner.tools`)
      - traefik.http.routers.joplin.tls.certresolver=lets-encrypt
-      #- traefik.http.middlewares.joplin.headers.customrequestheaders.X-Forwarded-Proto = http
+      - traefik.http.routers.joplin.tls.options=tls12@file
+      - traefik.http.routers.joplin.middlewares=securityheaders@file
      - traefik.http.services.joplin.loadbalancer.server.port=22300
      - traefik.http.services.joplin.loadbalancer.passhostheader=true
  joplin_db:
--- a/jafner-tools/config/librespeed/docker-compose.yml
+++ b/jafner-tools/config/librespeed/docker-compose.yml
@ -16,6 +16,8 @@ services:
    labels:
      - traefik.http.routers.librespeed.rule=Host(`speedtest.jafner.tools`)
      - traefik.http.routers.librespeed.tls.certresolver=lets-encrypt
+      - traefik.http.routers.librespeed.tls.options=tls12@file
+      - traefik.http.routers.librespeed.middlewares=securityheaders@file

 networks:
  web:
--- a/jafner-tools/config/traccar/docker-compose.yml
+++ b/jafner-tools/config/traccar/docker-compose.yml
@ -14,6 +14,8 @@ services:
    labels:
      - traefik.http.routers.traccar.rule=Host(`traccar.jafner.tools`)
      - traefik.http.routers.traccar.tls.certresolver=lets-encrypt
+      - traefik.http.routers.traccar.tls.options=tls12@file
+      - traefik.http.routers.traccar.middlewares=securityheaders@file
      - traefik.http.services.traccar.loadbalancer.server.port=8082
    networks:
      - web
--- a/jafner-tools/config/traefik/config/tls.yaml
+++ b/jafner-tools/config/traefik/config/tls.yaml
@ -0,0 +1,4 @@
+tls:
+  options:
+    tls12:
+      minVersion: VersionTLS12
--- a/jafner-tools/config/vaultwarden/docker-compose.yml
+++ b/jafner-tools/config/vaultwarden/docker-compose.yml
@ -13,6 +13,8 @@ services:
    labels:
      - traefik.http.routers.vaultwarden.rule=Host(`bitwarden.jafner.tools`)
      - traefik.http.routers.vaultwarden.tls.certresolver=lets-encrypt
+      - traefik.http.routers.vaultwarden.tls.options=tls12@file
+      - traefik.http.routers.vaultwarden.middlewares=securityheaders@file
 networks:
  web:
    external: true
--- a/jafner-tools/config/wireguard/docker-compose.yml
+++ b/jafner-tools/config/wireguard/docker-compose.yml
@ -21,6 +21,8 @@ services:
    labels:
      - traefik.http.routers.wg-easy.rule=Host(`vpn.jafner.tools`)
      - traefik.http.routers.wg-easy.tls.certresolver=lets-encrypt
+      - traefik.http.routers.wg-easy.tls.options=tls12@file
+      - traefik.http.routers.wg-easy.middlewares=securityheaders@file
      - traefik.http.services.wg-easy.loadbalancer.server.port=51821

 networks:
--- a/server/config/gitlab/docker-compose.yml
+++ b/server/config/gitlab/docker-compose.yml
@ -88,6 +88,8 @@ services:
    labels:
      - traefik.http.routers.gitlab.rule=Host(`gitlab.jafner.net`)
      - traefik.http.routers.gitlab.tls.certresolver=lets-encrypt
+      - traefik.http.routers.gitlab.tls.options=tls12@file
+      - traefik.http.routers.gitlab.middlewares=securityheaders@file
      - traefik.http.routers.gitlab.service=gitlab
      - traefik.http.services.gitlab.loadbalancer.server.port=80
      - traefik.http.routers.gitlab-registry.rule=Host(`registry.gitlab.jafner.net`)
--- a/server/config/monitoring/docker-compose.yml
+++ b/server/config/monitoring/docker-compose.yml
@ -22,7 +22,8 @@ services:
    labels:
      - traefik.http.routers.grafana.rule=Host(`grafana.jafner.net`)
      - traefik.http.routers.grafana.tls.certresolver=lets-encrypt
-      #- traefik.http.routers.grafana.middlewares=authelia@file
+      - traefik.http.routers.grafana.tls.options=tls12@file
+      - traefik.http.routers.grafana.middlewares=securityheaders@file

  prometheus:
    image: prom/prometheus:latest
--- a/server/config/plex/docker-compose.yml
+++ b/server/config/plex/docker-compose.yml
@ -66,6 +66,8 @@ services:
    labels:
      - traefik.http.routers.ombi.rule=Host(`ombi.jafner.net`)
      - traefik.http.routers.ombi.tls.certresolver=lets-encrypt
+      - traefik.http.routers.ombi.tls.options=tls12@file
+      - traefik.http.routers.ombi.middlewares=securityheaders@file
      - traefik.http.services.ombi.loadbalancer.server.port=3579   
    
 networks:
--- a/server/config/send/docker-compose.yml
+++ b/server/config/send/docker-compose.yml
@ -22,6 +22,8 @@ services:
    labels:
      - traefik.http.routers.send.rule=Host(`send.jafner.net`)
      - traefik.http.routers.send.tls.certresolver=lets-encrypt
+      - traefik.http.routers.send.tls.options=tls12@file
+      - traefik.http.routers.send.middlewares=securityheaders@file
      - traefik.http.services.send.loadbalancer.server.port=1234
      #- traefik.http.routers.send.middlewares=