Traefik in Kubernetes: различия между версиями
Перейти к навигации
Перейти к поиску
Sol (обсуждение | вклад) (Новая страница: «Категория:Kubernetes === TLS options === === Headers ===») |
Sol (обсуждение | вклад) |
||
| (не показаны 4 промежуточные версии этого же участника) | |||
| Строка 1: | Строка 1: | ||
| − | [[Категория:Kubernetes]] | + | [[Категория:Kubernetes]][[Категория:Web]] |
=== TLS options === | === TLS options === | ||
| + | <span style="color:#ff0000 ">'''only one TLSOption per Kubernetes cluster'''</span> | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | kubectl -n default apply -f traefik_TLSopt.yaml | ||
| + | </syntaxhighlight> | ||
| + | <syntaxhighlight lang="yaml"> | ||
| + | --- | ||
| + | apiVersion: traefik.containo.us/v1alpha1 | ||
| + | kind: TLSOption | ||
| + | metadata: | ||
| + | name: default | ||
| + | spec: | ||
| + | minVersion: VersionTLS12 | ||
| + | cipherSuites: | ||
| + | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2 | ||
| + | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2 | ||
| + | - TLS_AES_256_GCM_SHA384 # TLS 1.3 | ||
| + | - TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | [[TLS check]] | ||
| + | |||
=== Headers === | === Headers === | ||
| + | <syntaxhighlight lang="yaml"> | ||
| + | --- | ||
| + | apiVersion: traefik.containo.us/v1alpha1 | ||
| + | kind: Middleware | ||
| + | metadata: | ||
| + | name: headers-back-office | ||
| + | spec: | ||
| + | headers: | ||
| + | accessControlAllowMethods: | ||
| + | - "GET" | ||
| + | - "OPTIONS" | ||
| + | - "PUT" | ||
| + | - "POST" | ||
| + | - "DELETE" | ||
| + | accessControlAllowHeaders: | ||
| + | - '*' | ||
| + | accessControlAllowOriginList: | ||
| + | - "*" | ||
| + | accessControlMaxAge: 100 | ||
| + | accessControlExposeHeaders: | ||
| + | - '*' | ||
| + | addVaryHeader: true | ||
| + | customResponseHeaders: | ||
| + | Server: "" # Remove web server name and version | ||
| + | </syntaxhighlight> | ||
| + | ===Security middleware=== | ||
| + | <syntaxhighlight lang="yaml"> | ||
| + | --- | ||
| + | apiVersion: traefik.containo.us/v1alpha1 | ||
| + | kind: Middleware | ||
| + | metadata: | ||
| + | name: security | ||
| + | spec: | ||
| + | headers: | ||
| + | frameDeny: true | ||
| + | sslRedirect: true | ||
| + | browserXssFilter: true | ||
| + | contentTypeNosniff: true | ||
| + | #HSTS | ||
| + | stsIncludeSubdomains: true | ||
| + | stsPreload: true | ||
| + | stsSeconds: 31536000 | ||
| + | </syntaxhighlight> | ||
Текущая версия на 23:43, 20 апреля 2022
TLS options
only one TLSOption per Kubernetes cluster
kubectl -n default apply -f traefik_TLSopt.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
Headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: headers-back-office
spec:
headers:
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
- "POST"
- "DELETE"
accessControlAllowHeaders:
- '*'
accessControlAllowOriginList:
- "*"
accessControlMaxAge: 100
accessControlExposeHeaders:
- '*'
addVaryHeader: true
customResponseHeaders:
Server: "" # Remove web server name and version
Security middleware
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security
spec:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
#HSTS
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000