feat: add comprehensive Traefik security hardening
Added security enhancements to Traefik reverse proxy:
**TLS Security:**
- Minimum TLS 1.2 enforced
- Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
- Modern curve preferences (P-521, P-384)
- SNI strict mode enabled
**HTTP Security Headers:**
- HSTS with 1-year max-age, includeSubdomains, and preload
- X-Frame-Options: SAMEORIGIN (clickjacking protection)
- X-XSS-Protection enabled
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (disable camera, mic, geolocation, etc.)
- X-Robots-Tag for SEO control
**Rate Limiting Middlewares:**
- General: 100 req/s average, 50 burst
- API endpoints: 30 req/s average, 15 burst
**Configuration:**
- Enabled Traefik file provider for dynamic config
- Security headers applied globally to web-secure entrypoint
- Dynamic config in proxy/dynamic/security.yaml
- Auto-reloads on config changes
All HTTPS traffic now benefits from enhanced security headers.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-04 23:20:34 +01:00
|
|
|
tls:
|
|
|
|
|
options:
|
|
|
|
|
default:
|
|
|
|
|
minVersion: VersionTLS12
|
|
|
|
|
cipherSuites:
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
|
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
|
|
|
- TLS_AES_128_GCM_SHA256
|
|
|
|
|
- TLS_AES_256_GCM_SHA384
|
|
|
|
|
- TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
|
curvePreferences:
|
|
|
|
|
- CurveP521
|
|
|
|
|
- CurveP384
|
|
|
|
|
sniStrict: true
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
middlewares:
|
|
|
|
|
# Security Headers Middleware
|
|
|
|
|
security-headers:
|
|
|
|
|
headers:
|
|
|
|
|
# HSTS (HTTP Strict Transport Security)
|
|
|
|
|
stsSeconds: 31536000
|
|
|
|
|
stsIncludeSubdomains: true
|
|
|
|
|
stsPreload: true
|
|
|
|
|
|
|
|
|
|
# Force HTTPS
|
|
|
|
|
forceSTSHeader: true
|
|
|
|
|
|
|
|
|
|
# Clickjacking protection
|
|
|
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
|
|
|
|
|
|
|
|
# XSS Protection
|
|
|
|
|
browserXssFilter: true
|
|
|
|
|
|
|
|
|
|
# Content Type sniffing protection
|
|
|
|
|
contentTypeNosniff: true
|
|
|
|
|
|
|
|
|
|
# Referrer Policy
|
|
|
|
|
referrerPolicy: "strict-origin-when-cross-origin"
|
|
|
|
|
|
|
|
|
|
# Permissions Policy (formerly Feature Policy)
|
|
|
|
|
customResponseHeaders:
|
|
|
|
|
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
|
|
|
|
|
Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"
|
|
|
|
|
X-Content-Type-Options: "nosniff"
|
|
|
|
|
X-Frame-Options: "SAMEORIGIN"
|
|
|
|
|
|
|
|
|
|
# Rate Limiting Middleware (optional, can be applied per service)
|
|
|
|
|
rate-limit:
|
|
|
|
|
rateLimit:
|
|
|
|
|
average: 100
|
|
|
|
|
burst: 50
|
|
|
|
|
period: 1s
|
|
|
|
|
|
|
|
|
|
# Rate Limiting for API endpoints (stricter)
|
|
|
|
|
api-rate-limit:
|
|
|
|
|
rateLimit:
|
|
|
|
|
average: 30
|
|
|
|
|
burst: 15
|
|
|
|
|
period: 1s
|
2025-11-06 08:17:42 +01:00
|
|
|
|
|
|
|
|
# Basic Auth for Traefik Dashboard
|
|
|
|
|
dashboard-auth:
|
|
|
|
|
basicAuth:
|
|
|
|
|
usersFile: /etc/traefik/.htpasswd
|