Traefik in Kubernetes

Материал из Webko Wiki
Перейти к навигации Перейти к поиску


TLS options

only one TLSOption per Kubernetes cluster

kubectl -n default apply -f traefik_TLSopt.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3

TLS check

Headers

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: headers-back-office
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
      - "DELETE"
    accessControlAllowHeaders:
      - '*'
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 100
    accessControlExposeHeaders:
      - '*'
    addVaryHeader: true
    customResponseHeaders:
      Server: ""        # Remove web server name and version

Security middleware

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: security
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    #HSTS
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000