Traefik¶
Reverse Proxy mit automatischer SSL-Terminierung via Let's Encrypt. GitHub
ToDo's¶
- Neuen API Token erstellen und in Cloudflare bennenen
- API Token über Secret Manager verwalten
- External-DNS
# Einmaliges Setup - externes Netzwerk erstellen
docker network create proxy_network --driver bridge --subnet=10.100.0.0/16
Erweiterte Traefik dynamic.yaml (Dynamische Konfiguration)¶
# traefik/config/dynamic.yaml
http:
# Routers
routers:
# Traefik Dashboard
dashboard:
rule: "Host(`traefik.local.domain`)" # ANPASSEN!
entryPoints:
- websecure
service: api@internal
middlewares:
- dashboard-auth
- security-headers
- local-only
tls:
certResolver: letsencrypt
# Traefik API
api:
rule: "Host(`traefik.local.domain`) && PathPrefix(`/api`)" # ANPASSEN!
entryPoints:
- websecure
service: api@internal
middlewares:
- dashboard-auth
- security-headers
- local-only
tls:
certResolver: letsencrypt
# Services (werden automatisch von Docker Provider erstellt)
services: {}
# Middlewares
middlewares:
# Dashboard Authentication
dashboard-auth:
basicAuth:
users:
# admin:admin (ÄNDERN!)
# Generiert mit: htpasswd -nb admin admin
- "admin:$2y$10$8yKiMIcZx.cWb1ElqTvBme8yKlNDDM.j62.h3EQeWh9TaUzGekNry"
# Security Headers
security-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
- POST
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
sslRedirect: true
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true
customFrameOptionsValue: "SAMEORIGIN"
customRequestHeaders:
X-Forwarded-Proto: "https"
# Rate Limiting
rate-limit:
rateLimit:
burst: 100
average: 50
period: 60s
# Rate Limiting Strict (für sensible Services)
rate-limit-strict:
rateLimit:
burst: 20
average: 10
period: 60s
# Local Network Only
local-only:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "127.0.0.1/32"
# VPN Only (falls du VPN hast)
vpn-only:
ipWhiteList:
sourceRange:
- "10.8.0.0/24" # OpenVPN Standard
- "10.100.0.0/16" # Traefik Network
- "127.0.0.1/32" # Localhost
# Compression
compress:
compress: {}
# Add trailing slash
add-trailing-slash:
redirectRegex:
regex: "^(https?://[^/]+/[a-z0-9_]+)$"
replacement: "${1}/"
permanent: false
# Remove trailing slash
remove-trailing-slash:
redirectRegex:
regex: "^(https?://.*)/+$$"
replacement: "$1"
permanent: false
# CORS Headers
cors-headers:
headers:
accessControlAllowCredentials: true
accessControlAllowHeaders:
- "Authorization"
- "Content-Type"
accessControlAllowMethods:
- "GET"
- "POST"
- "PUT"
- "DELETE"
- "OPTIONS"
accessControlAllowOriginList:
- "https://local.domain" # ANPASSEN!
accessControlExposeHeaders:
- "Content-Length"
accessControlMaxAge: 100
# TLS Configuration
tls:
options:
default:
sslProtocols:
- "TLSv1.2"
- "TLSv1.3"
cipherSuites:
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
curvePreferences:
- "CurveP521"
- "CurveP384"
minVersion: "VersionTLS12"
# Strict TLS für sensible Services
strict:
sslProtocols:
- "TLSv1.3"
cipherSuites:
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
minVersion: "VersionTLS13"
# TCP Routers und Services (für non-HTTP Services wie MQTT)
tcp:
routers:
mqtt-router:
rule: "HostSNI(`*`)"
entryPoints:
- mqtt
service: mqtt-service
services:
mqtt-service:
loadBalancer:
servers:
- address: "mosquitto:1883"