Adds more secure TLS defaults (min. TLS v1.2, strong ciphers, prevents downgrade attacks on TLS and DTLS)

2020-04-04 23:39:30 +02:00 · 2020-04-04 23:39:30 +02:00 · f0825a10c1
commit f0825a10c1
parent fa2bc834ef
4 changed files with 39 additions and 3 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -9,6 +9,23 @@
    group: '{{ docker_user }}'
  tags: config

+- name: Ensure traefik rules directory exists
+  file:
+    path: /home/{{ docker_user }}/traefik/rules
+    state: directory
+    owner: '{{ docker_user }}'
+    group: '{{ docker_user }}'
+  tags: config
+
+- name: Provide TLS default options
+  template:
+    src: templates/t2-rules-tls-options.toml.j2
+    dest: /home/{{ docker_user }}/traefik/rules/tls-options.toml
+    owner: "{{ docker_user }}"
+    group: "{{ docker_user }}"
+    mode: '0644'
+  tags: config
+
 - name: Provide docker-compose.yml
  template:
    src: templates/docker-compose.traefik.yml.j2
--- a/templates/docker-compose.traefik.yml.j2
+++ b/templates/docker-compose.traefik.yml.j2
@ -28,6 +28,7 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/{{ docker_user }}/traefik/traefik.toml:/traefik.toml
      - /home/{{ docker_user }}/traefik/acme.json:/acme.json
+      - /home/{{ docker_user }}/traefik/rules:/rules
 {% if traefik.expose_externally | default(False) %}
    labels:
      - "traefik.enable=true"
--- a/templates/t2-rules-tls-options.toml.j2
+++ b/templates/t2-rules-tls-options.toml.j2
@ -0,0 +1,17 @@
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+    sniStrict = true
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
+  ]
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
--- a/templates/traefik.toml.j2
+++ b/templates/traefik.toml.j2
@ -18,13 +18,14 @@ defaultEntryPoints = ["web", "websecure"]
 #  dashboard = true
 #  insecure = true

-[file]
-watch = true
-
 [providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false

+[providers.file]
+  directory = "/rules"
+  watch = true
+
 {% if traefik.enable_acme %}
 [certificatesResolvers.defaultresolver.acme]
 {% if traefik.use_acme_staging %}