(docker) making security settings of traefik on par with nginx

author: Rigel Kent <sendmemail@rigelk.eu> 2018-06-02 13:41:38 +0200
committer: Rigel Kent <par@rigelk.eu> 2018-06-04 23:14:26 +0200
commit: 1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb (patch)
tree: d09eceb04958ae8cc4989181ff2aefbaefdfc865
parent: 049539eb4cd0dc237ea7c491ecba43da990b04eb (diff)
download: PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.tar.gz
PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.tar.zst
PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.zip
1 files changed, 23 insertions, 0 deletions
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
index 775a26515..882c95548 100644
--- a/support/docker/production/config/traefik.toml
+++ b/support/docker/production/config/traefik.toml
@@ -7,6 +7,29 @@ defaultEntryPoints = ["http", "https"]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
+    MinVersion = "VersionTLS12"
+    CurvePreferences = [
+      "CurveP521",
+      "CurveP384",
+      "CurveP256"
+    ]
+    PreferServerCipherSuites = true
+    CipherSuites = [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_256_CBC_SHA"
+    ]
+    FrameDeny = false # here we don't want to deny frames since we have an embed
+    STSIncludeSubdomains = true
+    STSSeconds = 315360000
+    STSPreload = true
+    ContentTypeNosniff = true
+    BrowserXssFilter = true
 # Enable ACME (Let's Encrypt): automatic SSL.
 [acme]
author	Rigel Kent <sendmemail@rigelk.eu>	2018-06-02 13:41:38 +0200
committer	Rigel Kent <par@rigelk.eu>	2018-06-04 23:14:26 +0200
commit	1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb (patch)
tree	d09eceb04958ae8cc4989181ff2aefbaefdfc865
parent	049539eb4cd0dc237ea7c491ecba43da990b04eb (diff)
download	PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.tar.gz PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.tar.zst PeerTube-1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb.zip

diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml index 775a26515..882c95548 100644 --- a/support/docker/production/config/traefik.toml +++ b/support/docker/production/config/traefik.toml
@@ -7,6 +7,29 @@ defaultEntryPoints = ["http", "https"]
7	[entryPoints.https]	7	[entryPoints.https]
8	address = ":443"	8	address = ":443"
9	[entryPoints.https.tls]	9	[entryPoints.https.tls]
		10	MinVersion = "VersionTLS12"
		11	CurvePreferences = [
		12	"CurveP521",
		13	"CurveP384",
		14	"CurveP256"
		15	]
		16	PreferServerCipherSuites = true
		17	CipherSuites = [
		18	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		19	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
		20	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		21	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		22	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		23	"TLS_RSA_WITH_AES_256_GCM_SHA384",
		24	"TLS_RSA_WITH_AES_256_CBC_SHA"
		25	]
		26	FrameDeny = false # here we don't want to deny frames since we have an embed
		27	STSIncludeSubdomains = true
		28	STSSeconds = 315360000
		29	STSPreload = true
		30	ContentTypeNosniff = true
		31	BrowserXssFilter = true
		32
10		33
11	# Enable ACME (Let's Encrypt): automatic SSL.	34	# Enable ACME (Let's Encrypt): automatic SSL.
12	[acme]	35	[acme]