Writings

Blog

Code

Erste Blog optimierung - TLS 1.2

05.11.21

Nachdem ich Wordpress den rücken gekährt habe, um meinen Blog mit Gatsby umzusetzen, kommen natürlich andere Herrausforderungen auf mich zu. Die erste herrausvorderung war meine Lets Encrypt - Traefik Anbindung auf einen "A" Status bei SSLLabs zu heben.

Ich hatte eine schelchte bewertung bekommen da mein Traefik TLS 1.0 und 1.1 unterstützt hat. Am 31.01.2020 hat SSLLabs diese Config auf maximal Grade B cecapped.

Die folgende Konfiguration hat mir geholfen SSLLABS auf Grade "A" zu bekommen.

static.yml

api:
  insecure: false
  dashboard: false
  debug: false
providers:
  docker:
    endpoint: "tcp://socket-proxy:2375"
    watch: true
    exposedbydefault: false
  file:
    watch: true
    directory: "/etc/traefik/"
entryPoints:
  http:
    address: ":80"
  httpsecure:
    address: ":443"
  ssh:
    address: ":2222"
certificatesresolvers:
  le:
    acme:
      #caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
      #storage: "acme2.json"
      storage: "acme.json"
      httpchallenge:
        entrypoint: "http"

dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
version: '3'

services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy
    container_name: socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      CONTAINERS: 1
    networks:
      proxy:
  reverse-proxy:
    restart: always
    # The official v2 Traefik docker image
    image: traefik:v2.5
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # Letsencrypt acme file ! Include in secure Backup !
      - ./letsencrypt/acme.json:/acme.json
      # Traefik Config Files
      - ./traefik/static.yml:/traefik.yml
      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml
    networks:
      proxy:
    labels:
      - traefik.enable=true

      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

      - traefik.http.middlewares.security-headers.headers.stsSeconds=31536000
      - traefik.http.middlewares.security-headers.headers.stsPreload=true
      - traefik.http.middlewares.security-headers.headers.forceSTSHeader=true
      - traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.security-headers.headers.frameDeny=true

      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=http
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https,security-headers
      - traefik.http.routers.https-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.https-catchall.entrypoints=httpsecure
      - traefik.http.routers.https-catchall.middlewares=security-headers
    environment:
      - TRAEFIK_CERTIFICATESRESOLVERS_le_ACME_EMAIL= '${LETS_ENCRYPT_EMAIL}'
networks:
  proxy:
    external: true

Links

Back