Add HSTS headers for all pages

2022-03-24 10:26:23 +02:00 · 2022-03-24 10:26:23 +02:00 · e0fef53231
parent e849d8d7cc
commit e0fef53231
10 changed files with 28 additions and 13 deletions
--- a/docker/authentik/docker-compose.toml
+++ b/docker/authentik/docker-compose.toml
@ -20,13 +20,14 @@ env_file = [".env"]
 networks = ["authentik", "postgres", "proxy"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.authentik-redirect.entrypoints=http",
  "traefik.http.routers.authentik-redirect.rule=Host(`sso.korhonen.cc`)",
  "traefik.http.routers.authentik-redirect.middlewares=http2https@file",
  "traefik.http.routers.authentik.entrypoints=https",
+  "traefik.http.routers.authentik.middlewares=secHeaders@file",
  "traefik.http.routers.authentik.rule=Host(`sso.korhonen.cc`)",
  "traefik.http.routers.authentik.service=authentik",
-  "traefik.docker.network=proxy",
  "traefik.http.services.authentik.loadbalancer.server.port=9000",
 ]

--- a/docker/freshrss/docker-compose.toml
+++ b/docker/freshrss/docker-compose.toml
@ -13,13 +13,14 @@ volumes = [
 ]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.freshrss-redirect.entrypoints=http",
  "traefik.http.routers.freshrss-redirect.rule=Host(`rss.korhonen.cc`)",
  "traefik.http.routers.freshrss-redirect.middlewares=http2https@file",
  "traefik.http.routers.freshrss.entrypoints=https",
+  "traefik.http.routers.freshrss.middlewares=secHeaders@file",
  "traefik.http.routers.freshrss.rule=Host(`rss.korhonen.cc`)",
  "traefik.http.routers.freshrss.service=freshrss",
-  "traefik.docker.network=proxy",
  "traefik.http.services.freshrss.loadbalancer.server.port=80",
 ]

@ -34,13 +35,14 @@ volumes = [
 networks = ["freshrss", "proxy"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.bibliogram-redirect.entrypoints=http",
  "traefik.http.routers.bibliogram-redirect.rule=Host(`bibliogram.korhonen.cc`)",
  "traefik.http.routers.bibliogram-redirect.middlewares=http2https@file",
  "traefik.http.routers.bibliogram.entrypoints=https",
+  "traefik.http.routers.bibliogram.middlewares=secHeaders@file",
  "traefik.http.routers.bibliogram.rule=Host(`bibliogram.korhonen.cc`)",
  "traefik.http.routers.bibliogram.service=bibliogram",
-  "traefik.docker.network=proxy",
  "traefik.http.services.bibliogram.loadbalancer.server.port=10407",
 ]

--- a/docker/gitea/docker-compose.toml
+++ b/docker/gitea/docker-compose.toml
@ -10,13 +10,14 @@ ports = ["3000:3000", "22:22"]
 volumes = ["/docker/gitea:/data", "/etc/localtime:/etc/localtime:ro"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.gitea-redirect.entrypoints=http",
  "traefik.http.routers.gitea-redirect.rule=Host(`git.korhonen.cc`)",
  "traefik.http.routers.gitea-redirect.middlewares=http2https@file",
  "traefik.http.routers.gitea.entrypoints=https",
+  "traefik.http.routers.gitea.middlewares=secHeaders@file",
  "traefik.http.routers.gitea.rule=Host(`git.korhonen.cc`)",
  "traefik.http.routers.gitea.service=gitea",
-  "traefik.docker.network=proxy",
  "traefik.http.services.gitea.loadbalancer.server.port=3000",
 ]

--- a/docker/homeautomation/docker-compose.toml
+++ b/docker/homeautomation/docker-compose.toml
@ -15,13 +15,14 @@ ports = ["8123:8123", "8300:8300"]
 depends_on = ["mosquitto"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.home-assistant-redirect.entrypoints=http",
  "traefik.http.routers.home-assistant-redirect.rule=Host(`home.korhonen.cc`)",
  "traefik.http.routers.home-assistant-redirect.middlewares=http2https@file",
  "traefik.http.routers.home-assistant.entrypoints=https",
+  "traefik.http.routers.home-assistant.middlewares=secHeaders@file",
  "traefik.http.routers.home-assistant.rule=Host(`home.korhonen.cc`)",
  "traefik.http.routers.home-assistant.service=home-assistant",
-  "traefik.docker.network=proxy",
  "traefik.http.services.home-assistant.loadbalancer.server.port=8123",
 ]

@ -70,13 +71,14 @@ restart = "unless-stopped"
 depends_on = ["home-assistant"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.node-red-redirect.entrypoints=http",
  "traefik.http.routers.node-red-redirect.rule=Host(`node.korhonen.cc`)",
  "traefik.http.routers.node-red-redirect.middlewares=http2https@file",
  "traefik.http.routers.node-red.entrypoints=https",
  "traefik.http.routers.node-red.rule=Host(`node.korhonen.cc`)",
+  "traefik.http.routers.node-red.middlewares=secHeaders@file",
  "traefik.http.routers.node-red.service=node-red",
-  "traefik.docker.network=proxy",
  "traefik.http.services.node-red.loadbalancer.server.port=1880",
 ]

--- a/docker/index.korhonen.cc/docker-compose.toml
+++ b/docker/index.korhonen.cc/docker-compose.toml
@ -9,13 +9,14 @@ networks = ["proxy"]
 restart = "unless-stopped"
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.index-redirect.entrypoints=http",
  "traefik.http.routers.index-redirect.rule=Host(`index.korhonen.cc`)",
  "traefik.http.routers.index-redirect.middlewares=http2https@file",
  "traefik.http.routers.index.entrypoints=https",
+  "traefik.http.routers.index.middlewares=secHeaders@file",
  "traefik.http.routers.index.rule=Host(`index.korhonen.cc`)",
  "traefik.http.routers.index.service=index",
-  "traefik.docker.network=proxy",
  "traefik.http.services.index.loadbalancer.server.port=80",
 ]

--- a/docker/jellyfin/docker-compose.toml
+++ b/docker/jellyfin/docker-compose.toml
@ -19,13 +19,14 @@ devices = [
 ]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.jellyfin-redirect.entrypoints=http",
  "traefik.http.routers.jellyfin-redirect.rule=Host(`jellyfin.korhonen.cc`)",
  "traefik.http.routers.jellyfin-redirect.middlewares=http2https@file",
  "traefik.http.routers.jellyfin.entrypoints=https",
+  "traefik.http.routers.gitea.middlewares=secHeaders@file",
  "traefik.http.routers.jellyfin.rule=Host(`jellyfin.korhonen.cc`)",
  "traefik.http.routers.jellyfin.service=jellyfin",
-  "traefik.docker.network=proxy",
  "traefik.http.services.jellyfin.loadbalancer.server.port=8096",
 ]

--- a/docker/korhonen.cc/docker-compose.toml
+++ b/docker/korhonen.cc/docker-compose.toml
@ -3,18 +3,22 @@
 [services.nginx]
 image = "nginx"
 container_name = "korhonen.cc"
-volumes = ["/docker/korhonen.cc:/korhonen.cc:ro", "./nginx.conf:/etc/nginx/conf.d/default.conf"]
+volumes = [
+  "/docker/korhonen.cc:/korhonen.cc:ro",
+  "./nginx.conf:/etc/nginx/conf.d/default.conf",
+]
 networks = ["proxy"]
 restart = "unless-stopped"
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.korhonen-redirect.entrypoints=http",
  "traefik.http.routers.korhonen-redirect.rule=Host(`korhonen.cc`)",
  "traefik.http.routers.korhonen-redirect.middlewares=http2https@file",
  "traefik.http.routers.korhonen.entrypoints=https",
+  "traefik.http.routers.korhonen.middlewares=secHeaders@file",
  "traefik.http.routers.korhonen.rule=Host(`korhonen.cc`)",
  "traefik.http.routers.korhonen.service=korhonen",
-  "traefik.docker.network=proxy",
  "traefik.http.services.korhonen.loadbalancer.server.port=80",
 ]

--- a/docker/pihole/docker-compose.toml
+++ b/docker/pihole/docker-compose.toml
@ -14,13 +14,14 @@ cap_add = ["NET_ADMIN"]
 restart = "unless-stopped"
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.pihole-redirect.entrypoints=http",
  "traefik.http.routers.pihole-redirect.rule=Host(`pihole.korhonen.cc`)",
  "traefik.http.routers.pihole-redirect.middlewares=http2https@file",
  "traefik.http.routers.pihole.entrypoints=https",
+  "traefik.http.routers.pihole.middlewares=secHeaders@file",
  "traefik.http.routers.pihole.rule=Host(`pihole.korhonen.cc`)",
  "traefik.http.routers.pihole.service=pihole",
-  "traefik.docker.network=proxy",
  "traefik.http.services.pihole.loadbalancer.server.port=80",
 ]

--- a/docker/traefik/docker-compose.toml
+++ b/docker/traefik/docker-compose.toml
@ -19,15 +19,16 @@ volumes = [
 ]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.redirect.entrypoints=http",
  "traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)",
  "traefik.http.routers.redirect.middlewares=http2https@file",
  "traefik.http.routers.dashboard.entrypoints=https",
+  "traefik.http.routers.dashboard.middlewares=secHeaders@file",
  "traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)",
  "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/dashboard-users",
  "traefik.http.routers.dashboard.middlewares=dashboard-auth",
  "traefik.http.routers.dashboard.service=api@internal",
-  "traefik.docker.network=proxy",
 ]

 [services.fail2ban]
--- a/docker/tvheadend/docker-compose.toml
+++ b/docker/tvheadend/docker-compose.toml
@ -16,13 +16,14 @@ restart = "unless-stopped"
 networks = ["proxy"]
 labels = [
  "traefik.enable=true",
+  "traefik.docker.network=proxy",
  "traefik.http.routers.tvheadend-redirect.entrypoints=http",
  "traefik.http.routers.tvheadend-redirect.rule=Host(`tvheadend.korhonen.cc`)",
  "traefik.http.routers.tvheadend-redirect.middlewares=http2https@file",
  "traefik.http.routers.tvheadend.entrypoints=https",
+  "traefik.http.routers.tvheadend.middlewares=secHeaders@file",
  "traefik.http.routers.tvheadend.rule=Host(`tvheadend.korhonen.cc`)",
  "traefik.http.routers.tvheadend.service=tvheadend",
-  "traefik.docker.network=proxy",
  "traefik.http.services.tvheadend.loadbalancer.server.port=9981",
 ]