Traefik in Kubernetes: различия между версиями
Перейти к навигации
Перейти к поиску
Sol (обсуждение | вклад) (Новая страница: «Категория:Kubernetes === TLS options === === Headers ===») |
Sol (обсуждение | вклад) |
||
(не показаны 4 промежуточные версии этого же участника) | |||
Строка 1: | Строка 1: | ||
− | [[Категория:Kubernetes]] | + | [[Категория:Kubernetes]][[Категория:Web]] |
=== TLS options === | === TLS options === | ||
+ | <span style="color:#ff0000 ">'''only one TLSOption per Kubernetes cluster'''</span> | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | kubectl -n default apply -f traefik_TLSopt.yaml | ||
+ | </syntaxhighlight> | ||
+ | <syntaxhighlight lang="yaml"> | ||
+ | --- | ||
+ | apiVersion: traefik.containo.us/v1alpha1 | ||
+ | kind: TLSOption | ||
+ | metadata: | ||
+ | name: default | ||
+ | spec: | ||
+ | minVersion: VersionTLS12 | ||
+ | cipherSuites: | ||
+ | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2 | ||
+ | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2 | ||
+ | - TLS_AES_256_GCM_SHA384 # TLS 1.3 | ||
+ | - TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | [[TLS check]] | ||
+ | |||
=== Headers === | === Headers === | ||
+ | <syntaxhighlight lang="yaml"> | ||
+ | --- | ||
+ | apiVersion: traefik.containo.us/v1alpha1 | ||
+ | kind: Middleware | ||
+ | metadata: | ||
+ | name: headers-back-office | ||
+ | spec: | ||
+ | headers: | ||
+ | accessControlAllowMethods: | ||
+ | - "GET" | ||
+ | - "OPTIONS" | ||
+ | - "PUT" | ||
+ | - "POST" | ||
+ | - "DELETE" | ||
+ | accessControlAllowHeaders: | ||
+ | - '*' | ||
+ | accessControlAllowOriginList: | ||
+ | - "*" | ||
+ | accessControlMaxAge: 100 | ||
+ | accessControlExposeHeaders: | ||
+ | - '*' | ||
+ | addVaryHeader: true | ||
+ | customResponseHeaders: | ||
+ | Server: "" # Remove web server name and version | ||
+ | </syntaxhighlight> | ||
+ | ===Security middleware=== | ||
+ | <syntaxhighlight lang="yaml"> | ||
+ | --- | ||
+ | apiVersion: traefik.containo.us/v1alpha1 | ||
+ | kind: Middleware | ||
+ | metadata: | ||
+ | name: security | ||
+ | spec: | ||
+ | headers: | ||
+ | frameDeny: true | ||
+ | sslRedirect: true | ||
+ | browserXssFilter: true | ||
+ | contentTypeNosniff: true | ||
+ | #HSTS | ||
+ | stsIncludeSubdomains: true | ||
+ | stsPreload: true | ||
+ | stsSeconds: 31536000 | ||
+ | </syntaxhighlight> |
Текущая версия на 22:43, 20 апреля 2022
TLS options
only one TLSOption per Kubernetes cluster
kubectl -n default apply -f traefik_TLSopt.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
Headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: headers-back-office
spec:
headers:
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
- "POST"
- "DELETE"
accessControlAllowHeaders:
- '*'
accessControlAllowOriginList:
- "*"
accessControlMaxAge: 100
accessControlExposeHeaders:
- '*'
addVaryHeader: true
customResponseHeaders:
Server: "" # Remove web server name and version
Security middleware
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security
spec:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
#HSTS
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000