(docker) making security settings of traefik on par with nginx

author Rigel Kent <sendmemail@rigelk.eu>

Sat, 2 Jun 2018 11:41:38 +0000 (13:41 +0200)

committer Rigel Kent <par@rigelk.eu>

Mon, 4 Jun 2018 21:14:26 +0000 (23:14 +0200)
author Rigel Kent <sendmemail@rigelk.eu>
Sat, 2 Jun 2018 11:41:38 +0000 (13:41 +0200)
committer Rigel Kent <par@rigelk.eu>
Mon, 4 Jun 2018 21:14:26 +0000 (23:14 +0200)
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml

index 775a26515fcd2f3c3f28cc99ff8b709fb9f23d69..882c9554866e1123ab9e5f1f43f1c747885cfe33 100644 (file)
--- a/support/docker/production/config/traefik.toml
+++ b/support/docker/production/config/traefik.toml
@@ -7,6 +7,29 @@ defaultEntryPoints = ["http", "https"]
    [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]
+    MinVersion = "VersionTLS12"
+    CurvePreferences = [
+      "CurveP521",
+      "CurveP384",
+      "CurveP256"
+    ]
+    PreferServerCipherSuites = true
+    CipherSuites = [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_256_CBC_SHA"
+    ]
+    FrameDeny = false # here we don't want to deny frames since we have an embed
+    STSIncludeSubdomains = true
+    STSSeconds = 315360000
+    STSPreload = true
+    ContentTypeNosniff = true
+    BrowserXssFilter = true
+
  
  # Enable ACME (Let's Encrypt): automatic SSL.
  [acme]
author	Rigel Kent <sendmemail@rigelk.eu>
	Sat, 2 Jun 2018 11:41:38 +0000 (13:41 +0200)
committer	Rigel Kent <par@rigelk.eu>
	Mon, 4 Jun 2018 21:14:26 +0000 (23:14 +0200)