Added security headers; organized labels by type and in alphabetical order

templates/Nextcloud/0/docker-compose.yml

@@ -40,41 +40,35 @@ services:
       io.rancher.scheduler.affinity:host_label: ${HOST_LABEL}
       {{- end}}
 #      io.rancher.sidekicks: cron
+      ### Begin Traefik Configuration
       traefik.enable: true
+      # Routers
       traefik.http.routers.nextcloud-router-http.entrypoints: http
       traefik.http.routers.nextcloud-router-http.rule: Host(`${TRAEFIK_HOST}`)
       traefik.http.routers.nextcloud-router-http.middlewares: nextcloud-redirectHttp
       traefik.http.routers.nextcloud-router-http.service: nextcloud-service
       traefik.http.routers.nextcloud-router-https.entrypoints: https
       traefik.http.routers.nextcloud-router-https.rule: Host(`${TRAEFIK_HOST}`)
-      traefik.http.routers.nextcloud-router-https.middlewares: nextcloud-redirectDav
+      traefik.http.routers.nextcloud-router-https.middlewares: nextcloud-redirectDav, nextcloud-security
       traefik.http.routers.nextcloud-router-https.tls: true
       traefik.http.routers.nextcloud-router-https.tls.certresolver: letsencrypt
       traefik.http.routers.nextcloud-router-https.service: nextcloud-service
-      traefik.http.services.nextcloud-service.loadbalancer.server.port: "80"
-      traefik.http.services.nextcloud-service.loadbalancer.passhostheader: true
-      traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.scheme: https
-      traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.permanent: false # While testing
+      # Middlewares
+      traefik.http.middlewares.nextcloud-redirectDav.redirectregex.permanent: true
       traefik.http.middlewares.nextcloud-redirectDav.redirectregex.regex: /.well-known/(card|cal)dav
       traefik.http.middlewares.nextcloud-redirectDav.redirectregex.replacement: /remote.php/dav/
-# Will come back to finish the conversion to Traefik v2 later
-#      ### Start Web UI Segment
-#      traefik.frontend.entryPoints: http,https
-#     traefik.frontend.headers.forceSTSHeader: true
-#      traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information)
-#      traefik.frontend.headers.SSLRedirect: true
-#      traefik.frontend.headers.STSIncludeSubdomains: true
-#      traefik.frontend.headers.STSPreload: true
-#      traefik.frontend.headers.STSSeconds: 15552000
-#      traefik.frontend.passHostHeader: true
-#      traefik.frontend.rule: Host:${TRAEFIK_HOST}
-#      traefik.port: "80"
-#      ### End Web UI Segment
-#      ### Start CalDAV/CardDAV Redirect Segment
-#      traefik.frontend.redirect.permanent: true
-#      traefik.frontend.redirect.regex: https://(.*)/.well-known/(card|cal)dav
-#      traefik.frontend.redirect.replacement: https://${TRAEFIK_HOST}/remote.php/dav/
-      ### End CalDAV/CardDAV Redirect Segment
+      traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.permanent: true
+      traefik.http.middlewares.nextcloud-redirectHttp.redirectscheme.scheme: https
+      traefik.http.middlewares.nextcloud-security.headers.forceSTSHeader: true
+      traefik.http.middlewares.nextcloud-security.headers.referrerPolicy: no-referrer # Prevents leaking of referer information
+      traefik.http.middlewares.nextcloud-security.headers.sslredirect: true # Maybe good for redundancy?
+      traefik.http.middlewares.nextcloud-security.headers.stsIncludeSubdomains: true
+      traefik.http.middlewares.nextcloud-security.headers.stsPreload: true
+      traefik.http.middlewares.nextcloud-security.headers.stsSeconds: "15552000"
+      # Services
+      traefik.http.services.nextcloud-service.loadbalancer.passhostheader: true
+      traefik.http.services.nextcloud-service.loadbalancer.server.port: "80"
+      ### End Traefik Configuration
     links:
       - mysql
       {{- if eq .Values.REDIS "true"}}