From 1823318e51cf41b49a072c979a892286f0ba8c8f Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 4 Sep 2020 00:27:06 -0400 Subject: [PATCH] Implement security HTTP headers' middleware --- roles/nextcloud/tasks/main.yml | 1 + roles/traefik/defaults/main.yml | 2 ++ roles/traefik/files/tls.yml | 4 ---- roles/traefik/tasks/main.yml | 8 ++++---- roles/traefik/templates/security.yml.j2 | 15 +++++++++++++++ 5 files changed, 22 insertions(+), 8 deletions(-) delete mode 100644 roles/traefik/files/tls.yml create mode 100644 roles/traefik/templates/security.yml.j2 diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index dea40f6..aea56c6 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -33,6 +33,7 @@ traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)" traefik.http.routers.nextcloud.entrypoints: websecure traefik.http.routers.nextcloud.tls.certresolver: resolver + traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav" traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav" traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/" traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true" diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index fd9cda1..47752e7 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -2,6 +2,8 @@ traefik_name: traefik traefik_dashboard: false traefik_root: "/opt/{{ traefik_name }}" traefik_production: false +traefik_hsts_preload: false +traefik_hsts_seconds: 0 traefik_ports: - "80:80" - "443:443" diff --git a/roles/traefik/files/tls.yml b/roles/traefik/files/tls.yml deleted file mode 100644 index 33c705f..0000000 --- a/roles/traefik/files/tls.yml +++ /dev/null @@ -1,4 +0,0 @@ -tls: - options: - default: - minVersion: VersionTLS12 diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index fedf64b..add30d6 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -9,10 +9,10 @@ dest: "{{ traefik_root }}/config/traefik.yml" notify: restart_traefik -- name: Install dynamic Traefik configuration - copy: - src: tls.yml - dest: "{{ traefik_root }}/config/dynamic/tls.yml" +- name: Install dynamic security configuration + template: + src: security.yml.j2 + dest: "{{ traefik_root }}/config/dynamic/security.yml" owner: root group: root mode: 0600 diff --git a/roles/traefik/templates/security.yml.j2 b/roles/traefik/templates/security.yml.j2 new file mode 100644 index 0000000..4aaa9af --- /dev/null +++ b/roles/traefik/templates/security.yml.j2 @@ -0,0 +1,15 @@ +tls: + options: + default: + minVersion: VersionTLS12 + +http: + middlewares: + securehttps: + headers: + frameDeny: true + sslRedirect: true + browserXssFilter: true + contentTypeNosniff: true + stsPreload: {{ traefik_hsts_preload }} + stsSeconds: {{ traefik_hsts_seconds }}