jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/services/templates/traefik/traefik.yml.j2
jack aa9706bbc4
Some checks failed
CI/CD / syntax-check (push) Successful in 43s
Details
CI/CD / deploy (push) Failing after 59s
Details
feat: comprehensive security hardening 
Traefik:
- Enable access logs → /var/log/traefik/access.log (needed for CrowdSec)
- Add global security headers middleware: HSTS, X-Frame-Options, CSP,
  nosniff, XSS filter, referrer policy, permissions policy
- Add rate limiting: default 100/s, API 30/s, admin 10/s (strict)
- Add Authelia ForwardAuth middleware for SSO integration

CrowdSec (new service):
- Analyzes Traefik access logs + auth.log in real time
- Community IP reputation blocklist (crowdsecurity/traefik + http-cve)
- Firewall bouncer: bans malicious IPs at kernel level (iptables)

Authelia (new service, auth.csrx.ru):
- 2FA/SSO portal with TOTP (Google Authenticator)
- Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane
- Session: 12h expiry, 30m inactivity, Redis backend
- argon2id password hashing

Container security:
- Add security_opt: no-new-privileges to traefik, vaultwarden,
  forgejo, grafana, authelia

CI/CD security:
- Remove hardcoded server IP 87.249.49.32 from workflow
- Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM)
- Added SSH_KNOWN_HOSTS secret to Forgejo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:44:54 +07:00

56 lines
901 B
Django/Jinja
Raw Blame History

# Traefik v3 static configuration
# Generated by Ansible
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: INFO
accessLog:
filePath: /var/log/traefik/access.log
bufferingSize: 100
fields:
defaultMode: keep
headers:
defaultMode: drop
names:
User-Agent: keep
Referer: drop
api:
dashboard: true
insecure: false
ping: {}
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
middlewares:
- security-headers@file
certificatesResolvers:
letsencrypt:
acme:
email: "{{ acme_email }}"
storage: /acme/acme.json
httpChallenge:
entryPoint: web
providers:
file:
directory: /etc/traefik/dynamic
watch: true
serversTransport:
insecureSkipVerify: false
Reference in a new issue View git blame Copy permalink