diff --git a/rvproxy/Caddyfile b/rvproxy/Caddyfile deleted file mode 100644 index c217b97..0000000 --- a/rvproxy/Caddyfile +++ /dev/null @@ -1,35 +0,0 @@ -# Global options -{ - auto_https disable_certs - persist_config off -} - -# Reverse-proxy configuration -*.ublue.local { - ## TLS certificates - tls /certs/_.ublue.local/cert.pem /certs/_.ublue.local/key.pem - - # container registry - @registry host registry.ublue.local - - handle @registry { - reverse_proxy ublue-os_forge-registry.ublue.local:5000 { - transport http { - tls - tls_trusted_ca_certs /certs/tls/ublue-os_forge-root.pem - } - } - } - - # semaphore - @semaphore host forge.ublue.local - - handle @semaphore { - reverse_proxy ublue-os_forge-semaphore.ublue.local:3000 - } - - # Fallback for otherwise unhandled domains - handle { - respond "Bad hostname" 400 - } -} \ No newline at end of file diff --git a/rvproxy/Containerfile b/rvproxy/Containerfile deleted file mode 100644 index e8171f9..0000000 --- a/rvproxy/Containerfile +++ /dev/null @@ -1,5 +0,0 @@ -# Source Image -FROM docker.io/library/caddy:2.6.4-alpine - -# Add configuration file -COPY ./Caddyfile /etc/caddy/Caddyfile diff --git a/traefik/Containerfile b/traefik/Containerfile new file mode 100644 index 0000000..79bad0c --- /dev/null +++ b/traefik/Containerfile @@ -0,0 +1,5 @@ +# Source Image +FROM docker.io/traefik:v2.11 + +# Add configuration file +COPY ./config/*.yml /etc/traefik/ diff --git a/traefik/config/fileConfig.yml b/traefik/config/fileConfig.yml new file mode 100644 index 0000000..df73d23 --- /dev/null +++ b/traefik/config/fileConfig.yml @@ -0,0 +1,43 @@ +--- +http: + ## EXTERNAL ROUTING - Only use if you want to proxy something manually ## + routers: + ## SERVICES ## + services: + ## MIDDLEWARES ## + middlewares: + securityHeaders: + headers: + customResponseHeaders: + X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" + X-Forwarded-Proto: "https" + server: "" + customRequestHeaders: + X-Forwarded-Proto: "https" + sslProxyHeaders: + X-Forwarded-Proto: "https" + referrerPolicy: "same-origin" + hostsProxyHeaders: + - "X-Forwarded-Host" + contentTypeNosniff: true + browserXssFilter: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsSeconds: 63072000 + stsPreload: true + +# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6 +tls: + certificates: + - certFile: /certs/_.ublue.local/cert.pem + keyFile: /certs/_.ublue.local/key.pem + options: + default: + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/traefik/config/traefik.yml b/traefik/config/traefik.yml new file mode 100644 index 0000000..d6ff00b --- /dev/null +++ b/traefik/config/traefik.yml @@ -0,0 +1,53 @@ +# Traefik configuration +global: + checkNewVersion: false + sendAnonymousUsage: false + +serversTransport: + insecureSkipVerify: true + +api: + dashboard: true + +# Log level INFO|DEBUG|ERROR +log: + level: INFO + +# Configuring a buffer of 100 lines +accessLog: + filePath: "/etc/traefik/access.log" + bufferingSize: 100 + +entryPoints: + # Not used in apps, but redirect everything from HTTP to HTTPS + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + # HTTPS endpoint, with domain wildcard + websecure: + address: :443 + http: + tls: + domains: + - main: ublue.local + sans: + - "*.ublue.local" + middlewares: + - securityHeaders@file + +providers: + providersThrottleDuration: 2s + # File provider for connecting things that are outside of docker / defining middleware + file: + filename: /etc/traefik/fileConfig.yml + watch: true + # Docker / Podman configuration backend + docker: + watch: true + network: "ublue-os_forge" + exposedByDefault: false + endpoint: "unix:///var/run/podman.sock"