Merge branch 'traefik-refactoring'

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '3'
+version: "3.7"
 
 services:
     traefik:
@@ -11,16 +11,10 @@ services:
             - "443:443"
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
-            - ./traefik:/etc/traefik
-            - configtraefik:/config
+            - ./traefik:/etc/traefik:ro
+            - configtraefik:/config:ro
         labels:
             - "traefik.enable=true"
-            # HTTP to HTTPS redirection
-            - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
-            - "traefik.http.routers.http_catchall.entrypoints=insecure"
-            - "traefik.http.routers.http_catchall.middlewares=https_redirect"
-            - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
-            - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
             # Docker labels for enabling Traefik dashboard
             - "traefik.http.routers.traefik.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
             - "traefik.http.routers.traefik.entrypoints=secure"

traefik/custom/middlewares.yaml

@@ -0,0 +1,13 @@
+http:
+  middlewares:
+    common-auth:
+      basicAuth:
+        usersFile: "/etc/traefik/http_auth"
+    security-headers:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 31536000

traefik/custom/tls.yaml

@@ -0,0 +1,5 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true

traefik/file-provider.yml

@@ -1,5 +0,0 @@
-http:
-  middlewares:
-    common-auth:
-      basicAuth:
-        usersFile: "/etc/traefik/http_auth"

traefik/traefik.yaml

@@ -7,13 +7,24 @@ providers:
     network: "traefik-network"
     exposedByDefault: false # Only expose explicitly enabled containers
   file:
-    filename: /etc/traefik/file-provider.yml
+    directory: /etc/traefik/custom
+    watch: true
 
 entryPoints:
   insecure:
     address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: secure
+          scheme: https
   secure:
     address: ":443"
+    http:
+      tls:
+        certResolver: le
+      middlewares:
+      - security-headers@file
 
 certificatesResolvers:
   le: