Implement security HTTP headers' middleware

This commit is contained in:
Kris Lamoureux 2020-09-04 00:27:06 -04:00
parent d4293d3c59
commit 1823318e51
Signed by: kris
GPG Key ID: 3EDA9C3441EDA925
5 changed files with 22 additions and 8 deletions

View File

@ -33,6 +33,7 @@
traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
traefik.http.routers.nextcloud.entrypoints: websecure
traefik.http.routers.nextcloud.tls.certresolver: resolver
traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"

View File

@ -2,6 +2,8 @@ traefik_name: traefik
traefik_dashboard: false
traefik_root: "/opt/{{ traefik_name }}"
traefik_production: false
traefik_hsts_preload: false
traefik_hsts_seconds: 0
traefik_ports:
- "80:80"
- "443:443"

View File

@ -1,4 +0,0 @@
tls:
options:
default:
minVersion: VersionTLS12

View File

@ -9,10 +9,10 @@
dest: "{{ traefik_root }}/config/traefik.yml"
notify: restart_traefik
- name: Install dynamic Traefik configuration
copy:
src: tls.yml
dest: "{{ traefik_root }}/config/dynamic/tls.yml"
- name: Install dynamic security configuration
template:
src: security.yml.j2
dest: "{{ traefik_root }}/config/dynamic/security.yml"
owner: root
group: root
mode: 0600

View File

@ -0,0 +1,15 @@
tls:
options:
default:
minVersion: VersionTLS12
http:
middlewares:
securehttps:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsPreload: {{ traefik_hsts_preload }}
stsSeconds: {{ traefik_hsts_seconds }}