docker-compose

valknar/docker-compose

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sebastian Krüger	d3850e559a	refactor: use inline basicauth for Traefik dashboard Changed dashboard authentication to use inline basicauth like Scrapy instead of external .htpasswd file: Changes: - Updated proxy labels to use basicauth.users=${PROXY_AUTH_USERS} - Removed .htpasswd file and auth directory - Removed dashboard-auth middleware from security.yaml - Removed .htpasswd volume mount from compose.yaml Benefits: - Consistent with Scrapy authentication pattern - Simpler configuration (no external files) - Auth credentials managed centrally via .env Dashboard accessible at: https://proxy.pivoine.art Credentials: valknar / ragnarok98 (via PROXY_AUTH_USERS) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-06 08:35:43 +01:00
Sebastian Krüger	ec76db69ed	feat: add Traefik dashboard at proxy.pivoine.art with basic auth Added secure access to Traefik dashboard: Dashboard Configuration: - Enabled Traefik API and dashboard - Configured router for proxy.pivoine.art - Secured with HTTP Basic Auth middleware Security: - Created .htpasswd file with bcrypt credentials - Added dashboard-auth middleware to dynamic/security.yaml - Mounted .htpasswd file read-only in container - Dashboard only accessible via HTTPS with valid credentials Environment Updates: - Added PROXY_AUTH_USERS to .env (htpasswd hash) - Added PROXY_TRAEFIK_HOST to arty.yml Dashboard accessible at: https://proxy.pivoine.art 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-06 08:17:42 +01:00
Sebastian Krüger	b420f1d4bf	feat: add comprehensive Traefik security hardening Added security enhancements to Traefik reverse proxy: TLS Security: - Minimum TLS 1.2 enforced - Strong cipher suites (ECDHE, AES-GCM, ChaCha20) - Modern curve preferences (P-521, P-384) - SNI strict mode enabled HTTP Security Headers: - HSTS with 1-year max-age, includeSubdomains, and preload - X-Frame-Options: SAMEORIGIN (clickjacking protection) - X-XSS-Protection enabled - X-Content-Type-Options: nosniff - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy (disable camera, mic, geolocation, etc.) - X-Robots-Tag for SEO control Rate Limiting Middlewares: - General: 100 req/s average, 50 burst - API endpoints: 30 req/s average, 15 burst Configuration: - Enabled Traefik file provider for dynamic config - Security headers applied globally to web-secure entrypoint - Dynamic config in proxy/dynamic/security.yaml - Auto-reloads on config changes All HTTPS traffic now benefits from enhanced security headers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-04 23:20:34 +01:00

Author

SHA1

Message

Date

Sebastian Krüger

d3850e559a

refactor: use inline basicauth for Traefik dashboard

Changed dashboard authentication to use inline basicauth
like Scrapy instead of external .htpasswd file:

**Changes:**
- Updated proxy labels to use basicauth.users=${PROXY_AUTH_USERS}
- Removed .htpasswd file and auth directory
- Removed dashboard-auth middleware from security.yaml
- Removed .htpasswd volume mount from compose.yaml

**Benefits:**
- Consistent with Scrapy authentication pattern
- Simpler configuration (no external files)
- Auth credentials managed centrally via .env

Dashboard accessible at: https://proxy.pivoine.art
Credentials: valknar / ragnarok98 (via PROXY_AUTH_USERS)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-06 08:35:43 +01:00

Sebastian Krüger

ec76db69ed

feat: add Traefik dashboard at proxy.pivoine.art with basic auth

Added secure access to Traefik dashboard:

**Dashboard Configuration:**
- Enabled Traefik API and dashboard
- Configured router for proxy.pivoine.art
- Secured with HTTP Basic Auth middleware

**Security:**
- Created .htpasswd file with bcrypt credentials
- Added dashboard-auth middleware to dynamic/security.yaml
- Mounted .htpasswd file read-only in container
- Dashboard only accessible via HTTPS with valid credentials

**Environment Updates:**
- Added PROXY_AUTH_USERS to .env (htpasswd hash)
- Added PROXY_TRAEFIK_HOST to arty.yml

Dashboard accessible at: https://proxy.pivoine.art

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-06 08:17:42 +01:00

Sebastian Krüger

b420f1d4bf

feat: add comprehensive Traefik security hardening

Added security enhancements to Traefik reverse proxy:

**TLS Security:**
- Minimum TLS 1.2 enforced
- Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
- Modern curve preferences (P-521, P-384)
- SNI strict mode enabled

**HTTP Security Headers:**
- HSTS with 1-year max-age, includeSubdomains, and preload
- X-Frame-Options: SAMEORIGIN (clickjacking protection)
- X-XSS-Protection enabled
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (disable camera, mic, geolocation, etc.)
- X-Robots-Tag for SEO control

**Rate Limiting Middlewares:**
- General: 100 req/s average, 50 burst
- API endpoints: 30 req/s average, 15 burst

**Configuration:**
- Enabled Traefik file provider for dynamic config
- Security headers applied globally to web-secure entrypoint
- Dynamic config in proxy/dynamic/security.yaml
- Auto-reloads on config changes

All HTTPS traffic now benefits from enhanced security headers.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-04 23:20:34 +01:00

3 Commits