valknar/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec76db69ed7a9403f9601511b5cee295339ab13e
docker-compose/proxy/dynamic/security.yaml
Sebastian Krüger ec76db69ed feat: add Traefik dashboard at proxy.pivoine.art with basic auth 
Added secure access to Traefik dashboard:

**Dashboard Configuration:**
- Enabled Traefik API and dashboard
- Configured router for proxy.pivoine.art
- Secured with HTTP Basic Auth middleware

**Security:**
- Created .htpasswd file with bcrypt credentials
- Added dashboard-auth middleware to dynamic/security.yaml
- Mounted .htpasswd file read-only in container
- Dashboard only accessible via HTTPS with valid credentials

**Environment Updates:**
- Added PROXY_AUTH_USERS to .env (htpasswd hash)
- Added PROXY_TRAEFIK_HOST to arty.yml

Dashboard accessible at: https://proxy.pivoine.art

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-06 08:17:42 +01:00

67 lines
1.8 KiB
YAML
Raw Blame History

tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
middlewares:
# Security Headers Middleware
security-headers:
headers:
# HSTS (HTTP Strict Transport Security)
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
# Force HTTPS
forceSTSHeader: true
# Clickjacking protection
customFrameOptionsValue: "SAMEORIGIN"
# XSS Protection
browserXssFilter: true
# Content Type sniffing protection
contentTypeNosniff: true
# Referrer Policy
referrerPolicy: "strict-origin-when-cross-origin"
# Permissions Policy (formerly Feature Policy)
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"
X-Content-Type-Options: "nosniff"
X-Frame-Options: "SAMEORIGIN"
# Rate Limiting Middleware (optional, can be applied per service)
rate-limit:
rateLimit:
average: 100
burst: 50
period: 1s
# Rate Limiting for API endpoints (stricter)
api-rate-limit:
rateLimit:
average: 30
burst: 15
period: 1s
# Basic Auth for Traefik Dashboard
dashboard-auth:
basicAuth:
usersFile: /etc/traefik/.htpasswd
Reference in New Issue View Git Blame Copy Permalink