From 8da6799587e203721ec9c9955d7eac2498ba65a0 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 10 Nov 2019 16:07:36 -0500 Subject: [PATCH] Added security headers; organized labels by type and in alphabetical order --- templates/Nextcloud/0/docker-compose.yml | 40 ++++++++++-------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 8f208b0..b68fc71 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -40,41 +40,35 @@ services: io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} # io.rancher.sidekicks: cron + ### Begin Traefik Configuration traefik.enable: true + # Routers traefik.http.routers.nextcloud-router-http.entrypoints: http traefik.http.routers.nextcloud-router-http.rule: Host(`${TRAEFIK_HOST}`) traefik.http.routers.nextcloud-router-http.middlewares: nextcloud-redirectHttp traefik.http.routers.nextcloud-router-http.service: nextcloud-service traefik.http.routers.nextcloud-router-https.entrypoints: https traefik.http.routers.nextcloud-router-https.rule: Host(`${TRAEFIK_HOST}`) - traefik.http.routers.nextcloud-router-https.middlewares: nextcloud-redirectDav + traefik.http.routers.nextcloud-router-https.middlewares: nextcloud-redirectDav, nextcloud-security traefik.http.routers.nextcloud-router-https.tls: true traefik.http.routers.nextcloud-router-https.tls.certresolver: letsencrypt traefik.http.routers.nextcloud-router-https.service: nextcloud-service - traefik.http.services.nextcloud-service.loadbalancer.server.port: "80" - traefik.http.services.nextcloud-service.loadbalancer.passhostheader: true - traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.scheme: https - traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.permanent: false # While testing + # Middlewares + traefik.http.middlewares.nextcloud-redirectDav.redirectregex.permanent: true traefik.http.middlewares.nextcloud-redirectDav.redirectregex.regex: /.well-known/(card|cal)dav traefik.http.middlewares.nextcloud-redirectDav.redirectregex.replacement: /remote.php/dav/ -# Will come back to finish the conversion to Traefik v2 later -# ### Start Web UI Segment -# traefik.frontend.entryPoints: http,https -# traefik.frontend.headers.forceSTSHeader: true -# traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) -# traefik.frontend.headers.SSLRedirect: true -# traefik.frontend.headers.STSIncludeSubdomains: true -# traefik.frontend.headers.STSPreload: true -# traefik.frontend.headers.STSSeconds: 15552000 -# traefik.frontend.passHostHeader: true -# traefik.frontend.rule: Host:${TRAEFIK_HOST} -# traefik.port: "80" -# ### End Web UI Segment -# ### Start CalDAV/CardDAV Redirect Segment -# traefik.frontend.redirect.permanent: true -# traefik.frontend.redirect.regex: https://(.*)/.well-known/(card|cal)dav -# traefik.frontend.redirect.replacement: https://${TRAEFIK_HOST}/remote.php/dav/ - ### End CalDAV/CardDAV Redirect Segment + traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.permanent: true + traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.scheme: https + traefik.http.middlewares.nextcloud-security.headers.forceSTSHeader: true + traefik.http.middlewares.nextcloud-security.headers.referrerPolicy: no-referrer # Prevents leaking of referer information + traefik.http.middlewares.nextcloud-security.headers.sslredirect: true # Maybe good for redundancy? + traefik.http.middlewares.nextcloud-security.headers.stsIncludeSubdomains: true + traefik.http.middlewares.nextcloud-security.headers.stsPreload: true + traefik.http.middlewares.nextcloud-security.headers.stsSeconds: "15552000" + # Services + traefik.http.services.nextcloud-service.loadbalancer.passhostheader: true + traefik.http.services.nextcloud-service.loadbalancer.server.port: "80" + ### End Traefik Configuration links: - mysql {{- if eq .Values.REDIS "true"}}