From 40fc8e00d349da9dc2f455715dfbcacceda7ba20 Mon Sep 17 00:00:00 2001 From: stratholme Date: Tue, 9 Jun 2020 21:02:11 +0200 Subject: [PATCH 1/6] add stratholme specific compose file --- docker-compose.stratholme.yml | 50 +++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 docker-compose.stratholme.yml diff --git a/docker-compose.stratholme.yml b/docker-compose.stratholme.yml new file mode 100644 index 0000000..0d7cc36 --- /dev/null +++ b/docker-compose.stratholme.yml @@ -0,0 +1,50 @@ +version: '2' + +services: + proxy: + image: traefik:v2.1 + ports: + - "80:80" + - "443:443" + - "10.0.0.2:8080:8080" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "./cert/:/cert/" + - "./config/:/etc/traefik/:ro" + labels: + - "traefik.enable=true" # set to true to expose the Monitoring & API + # middleware redirect + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # global redirect to https + - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.entrypoints=web" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + + # Password middleware + - "traefik.http.middlewares.simpleauth.basicauth.users=zombi:$$apr1$$kv8xG9wi$$4UPHqcvKnYUab/tts6ZIU1" + # Dashboard, running at https://zom.bi/dashboard/ + - "traefik.http.routers.dashboard.rule=Host(`zom.bi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" + - "traefik.http.routers.dashboard.entrypoints=websecure" + - "traefik.http.routers.dashboard.service=api@internal" + - "traefik.http.routers.dashboard.middlewares=simpleauth" + - "traefik.http.routers.dashboard.tls=true" + - "traefik.http.routers.dashboard.tls.certresolver=default" + - "traefik.docker.network=proxy_web" + networks: + - "web" + + dumper: + image: ldez/traefik-certs-dumper:latest + volumes: + - "./cert/:/cert/" + - "/data/ssl/:/ssl/" + command: > + file --watch --source /cert/acme.json --version v2 --domain-subdir + --crt-name=fullchain --crt-ext=.pem + --key-name=privkey --key-ext=.pem + --dest /ssl + + +networks: + web: + driver: bridge From 8c126fdc768fb5dd066bd3d59726f6d8afad3d76 Mon Sep 17 00:00:00 2001 From: stratholme Date: Tue, 9 Jun 2020 21:06:26 +0200 Subject: [PATCH 2/6] cleanup workdir: add readme for host specific compose file --- README.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..714f46f --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +run on stratholme: + +``` +docker-compose -f docker-compose.stratholme.yml up +``` From 1c3113d44037b34f18a3068f8fc33db8fd42790a Mon Sep 17 00:00:00 2001 From: Linuro Date: Thu, 15 Oct 2020 22:59:34 +0200 Subject: [PATCH 3/6] removing unused port --- docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index b5d254e..8cf8eb4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,6 @@ services: ports: - "80:80" - "443:443" - - "10.0.0.1:8080:8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./cert/:/cert/" From 66156dc36e553a88eb9aff1f8822f322ee9189b5 Mon Sep 17 00:00:00 2001 From: Linuro Date: Thu, 15 Oct 2020 23:09:02 +0200 Subject: [PATCH 4/6] removing unneccesary docker.compose.stratholme.yml --- docker-compose.stratholme.yml | 50 ----------------------------------- 1 file changed, 50 deletions(-) delete mode 100644 docker-compose.stratholme.yml diff --git a/docker-compose.stratholme.yml b/docker-compose.stratholme.yml deleted file mode 100644 index 0d7cc36..0000000 --- a/docker-compose.stratholme.yml +++ /dev/null @@ -1,50 +0,0 @@ -version: '2' - -services: - proxy: - image: traefik:v2.1 - ports: - - "80:80" - - "443:443" - - "10.0.0.2:8080:8080" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - "./cert/:/cert/" - - "./config/:/etc/traefik/:ro" - labels: - - "traefik.enable=true" # set to true to expose the Monitoring & API - # middleware redirect - - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - # global redirect to https - - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" - - "traefik.http.routers.http-catchall.entrypoints=web" - - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - - # Password middleware - - "traefik.http.middlewares.simpleauth.basicauth.users=zombi:$$apr1$$kv8xG9wi$$4UPHqcvKnYUab/tts6ZIU1" - # Dashboard, running at https://zom.bi/dashboard/ - - "traefik.http.routers.dashboard.rule=Host(`zom.bi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" - - "traefik.http.routers.dashboard.entrypoints=websecure" - - "traefik.http.routers.dashboard.service=api@internal" - - "traefik.http.routers.dashboard.middlewares=simpleauth" - - "traefik.http.routers.dashboard.tls=true" - - "traefik.http.routers.dashboard.tls.certresolver=default" - - "traefik.docker.network=proxy_web" - networks: - - "web" - - dumper: - image: ldez/traefik-certs-dumper:latest - volumes: - - "./cert/:/cert/" - - "/data/ssl/:/ssl/" - command: > - file --watch --source /cert/acme.json --version v2 --domain-subdir - --crt-name=fullchain --crt-ext=.pem - --key-name=privkey --key-ext=.pem - --dest /ssl - - -networks: - web: - driver: bridge From f119bd7c375adab924ce839f47112e40772059bd Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 5 Nov 2020 20:41:47 +0100 Subject: [PATCH 5/6] update tls options fixes #39 --- config/traefik.toml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/config/traefik.toml b/config/traefik.toml index c72af33..c7a595e 100644 --- a/config/traefik.toml +++ b/config/traefik.toml @@ -49,3 +49,17 @@ [[tls.certificates]] certFile = "cert/grun.host.origin.pem" keyFile = "cert/grun.host.origin.key" + +[tls.options] + [tls.options.default] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_CHACHA20_POLY1305_SHA256", + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + ] + [tls.options.mintls13] + minVersion = "VersionTLS13" \ No newline at end of file From 85ca1d8890f4b43c9e2e777cfe7eadd30244935f Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 6 Nov 2020 17:55:48 +0100 Subject: [PATCH 6/6] move tls configuration from static configuration to dynamic configuration --- config/dynamic/tls.yml | 11 +++++++++++ config/traefik.toml | 20 +++++--------------- docker-compose.yml | 3 ++- 3 files changed, 18 insertions(+), 16 deletions(-) create mode 100644 config/dynamic/tls.yml diff --git a/config/dynamic/tls.yml b/config/dynamic/tls.yml new file mode 100644 index 0000000..94311c1 --- /dev/null +++ b/config/dynamic/tls.yml @@ -0,0 +1,11 @@ +tls: + options: + default: + minVersion: VersionTLS12 + cipherSuites: + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 diff --git a/config/traefik.toml b/config/traefik.toml index c7a595e..c43fd81 100644 --- a/config/traefik.toml +++ b/config/traefik.toml @@ -34,6 +34,10 @@ exposedByDefault = false defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)" +[providers.file] + directory = "/etc/traefik/dynamic" + watch = true + [certificatesResolvers.default.acme] email = "hostmaster@zom.bi" storage = "/cert/acme.json" @@ -48,18 +52,4 @@ keyFile = "cert/bitmask.me.origin.key" [[tls.certificates]] certFile = "cert/grun.host.origin.pem" - keyFile = "cert/grun.host.origin.key" - -[tls.options] - [tls.options.default] - minVersion = "VersionTLS12" - cipherSuites = [ - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_128_GCM_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - ] - [tls.options.mintls13] - minVersion = "VersionTLS13" \ No newline at end of file + keyFile = "cert/grun.host.origin.key" \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 8cf8eb4..ce50979 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: proxy: - image: traefik:v2.1 + image: traefik:v2.3 ports: - "80:80" - "443:443" @@ -10,6 +10,7 @@ services: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./cert/:/cert/" - "./config/:/etc/traefik/:ro" + - "./config/dynamic/:/etc/traefik/dynamic/:ro" labels: - "traefik.enable=true" # set to true to expose the Monitoring & API # middleware redirect