jack
fccbd1a45a
Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
109 lines
2.3 KiB
Django/Jinja
109 lines
2.3 KiB
Django/Jinja
# Traefik v3 static configuration
|
|
# Generated by Ansible
|
|
|
|
global:
|
|
checkNewVersion: false
|
|
sendAnonymousUsage: false
|
|
|
|
log:
|
|
level: INFO
|
|
|
|
accessLog:
|
|
filePath: /var/log/traefik/access.log
|
|
bufferingSize: 100
|
|
fields:
|
|
defaultMode: keep
|
|
headers:
|
|
defaultMode: drop
|
|
names:
|
|
User-Agent: keep
|
|
Referer: drop
|
|
|
|
api:
|
|
dashboard: true
|
|
insecure: false
|
|
|
|
ping: {}
|
|
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
forwardedHeaders:
|
|
# Trust Cloudflare IP ranges — they pass real visitor IP in X-Forwarded-For
|
|
trustedIPs:
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
- "2400:cb00::/32"
|
|
- "2606:4700::/32"
|
|
- "2803:f800::/32"
|
|
- "2405:b500::/32"
|
|
- "2405:8100::/32"
|
|
- "2a06:98c0::/29"
|
|
- "2c0f:f248::/32"
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
websecure:
|
|
address: ":443"
|
|
forwardedHeaders:
|
|
trustedIPs:
|
|
- "173.245.48.0/20"
|
|
- "103.21.244.0/22"
|
|
- "103.22.200.0/22"
|
|
- "103.31.4.0/22"
|
|
- "141.101.64.0/18"
|
|
- "108.162.192.0/18"
|
|
- "190.93.240.0/20"
|
|
- "188.114.96.0/20"
|
|
- "197.234.240.0/22"
|
|
- "198.41.128.0/17"
|
|
- "162.158.0.0/15"
|
|
- "104.16.0.0/13"
|
|
- "104.24.0.0/14"
|
|
- "172.64.0.0/13"
|
|
- "131.0.72.0/22"
|
|
- "2400:cb00::/32"
|
|
- "2606:4700::/32"
|
|
- "2803:f800::/32"
|
|
- "2405:b500::/32"
|
|
- "2405:8100::/32"
|
|
- "2a06:98c0::/29"
|
|
- "2c0f:f248::/32"
|
|
http:
|
|
middlewares:
|
|
- security-headers@file
|
|
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: "{{ acme_email }}"
|
|
storage: /acme/acme.json
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
# Use Cloudflare DNS resolvers to avoid propagation delays
|
|
resolvers:
|
|
- "1.1.1.1:53"
|
|
- "1.0.0.1:53"
|
|
|
|
providers:
|
|
file:
|
|
directory: /etc/traefik/dynamic
|
|
watch: true
|
|
|
|
serversTransport:
|
|
insecureSkipVerify: false
|