Skip to content

Instantly share code, notes, and snippets.

@wbolster

wbolster/traefik-dynamic-security-config.toml

Created February 17, 2021 00:52
Show Gist options
  • Save wbolster/7a375367272f18ff317c22efd3feeadc to your computer and use it in GitHub Desktop.
Save wbolster/7a375367272f18ff317c22efd3feeadc to your computer and use it in GitHub Desktop.
Download ZIP
traefik security configuration
Raw
traefik-dynamic-security-config.toml
# TLS and other security settings for Traefik.
#
# https://twitter.com/wbolster/status/1361813865303056386
#
# At the time of writing (2021-02), this results in
# an A+ rating from Qualys SSL Labs. See
# https://www.ssllabs.com/ssltest/ for details.
#
# Note: these settings are for the *dynamic* configuration!
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
# TLS 1.3
"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_CHACHA20_POLY1305_SHA256",
# TLS 1.2
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
# Downgrade attack prevention (RFC 7507)
"TLS_FALLBACK_SCSV",
]
[http.middlewares.secured.chain]
middlewares = ["https-only", "security-headers"]
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.security-headers.headers]
browserXssFilter = true
contentTypeNosniff = true
forceSTSHeader = true
frameDeny = true
referrerPolicy = "same-origin"
sslRedirect = true
stsSeconds = 31536000
# Use it like this:
[http.routers.foo]
entrypoints = ["websecure"]
middlewares = ["secured"]
rule = "Host(`foo.example.com`)"
service = "foo"
[http.routers.foo.tls]
certResolver = "myresolver"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment