created traefik tls file for prod and block tls 1.0 and 1.1 (#40)

Islandora-Devops · May 29, 2024 · 4ac3d57 · 4ac3d57
1 parent 5745dfb
commit 4ac3d57
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/tls.yml → dev-tls.yml b/tls.yml → dev-tls.yml
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -627,7 +627,7 @@ services:
             - label=type:container_runtime_t # Required for selinux to access the docker socket.
         volumes:
             - ./certs:/etc/ssl/traefik:Z,ro
-            - ./tls.yml:/etc/traefik/tls.yml:Z,ro
+            - ./dev-tls.yml:/etc/traefik/tls.yml:Z,ro
             - /var/run/docker.sock:/var/run/docker.sock:z
         networks:
             default:
@@ -664,6 +664,7 @@ services:
             --entryPoints.http.address=:80
             --entryPoints.https.address=:443
             --entrypoints.https.http.tls.certResolver=resolver
+            --providers.file.filename=/etc/traefik/tls.yml
             --providers.docker
             --providers.docker.network=default
             --providers.docker.exposedByDefault=false
@@ -677,6 +678,7 @@ services:
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock:z,rw
             - ./certs:/acme:Z
+            - ./prod-tls.yml:/etc/traefik/tls.yml:Z,ro
         networks:
             default:
                 aliases:

diff --git a/prod-tls.yml b/prod-tls.yml
@@ -0,0 +1,10 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA