jotbe/ansible-role-traefik-docker
1
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

Adds more secure TLS defaults (min. TLS v1.2, strong ciphers, prevents downgrade attacks on TLS and DTLS)

Browse source
This commit is contained in:
Jan Beilicke 2020-04-04 23:39:30 +02:00
parent fa2bc834ef
commit f0825a10c1
4 changed files with 39 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
tasks/main.yml
View file

@ -9,6 +9,23 @@
group: '{{ docker_user }}' group: '{{ docker_user }}'
tags: config tags: config
- name: Ensure traefik rules directory exists
file:
path: /home/{{ docker_user }}/traefik/rules
state: directory
owner: '{{ docker_user }}'
group: '{{ docker_user }}'
tags: config
- name: Provide TLS default options
template:
src: templates/t2-rules-tls-options.toml.j2
dest: /home/{{ docker_user }}/traefik/rules/tls-options.toml
owner: "{{ docker_user }}"
group: "{{ docker_user }}"
mode: '0644'
tags: config
- name: Provide docker-compose.yml - name: Provide docker-compose.yml
template: template:
src: templates/docker-compose.traefik.yml.j2 src: templates/docker-compose.traefik.yml.j2

1
templates/docker-compose.traefik.yml.j2
View file

@ -28,6 +28,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- /home/{{ docker_user }}/traefik/traefik.toml:/traefik.toml - /home/{{ docker_user }}/traefik/traefik.toml:/traefik.toml
- /home/{{ docker_user }}/traefik/acme.json:/acme.json - /home/{{ docker_user }}/traefik/acme.json:/acme.json
- /home/{{ docker_user }}/traefik/rules:/rules
{% if traefik.expose_externally | default(False) %} {% if traefik.expose_externally | default(False) %}
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"

17
templates/t2-rules-tls-options.toml.j2 Normal file
View file

@ -0,0 +1,17 @@
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
]
[tls.options.mintls13]
minVersion = "VersionTLS13"

7
templates/traefik.toml.j2
View file

@ -18,13 +18,14 @@ defaultEntryPoints = ["web", "websecure"]
# dashboard = true # dashboard = true
# insecure = true # insecure = true
[file]
watch = true
[providers.docker] [providers.docker]
endpoint = "unix:///var/run/docker.sock" endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false exposedByDefault = false
[providers.file]
directory = "/rules"
watch = true
{% if traefik.enable_acme %} {% if traefik.enable_acme %}
[certificatesResolvers.defaultresolver.acme] [certificatesResolvers.defaultresolver.acme]
{% if traefik.use_acme_staging %} {% if traefik.use_acme_staging %}