fixed tls-opts.yml for real this time. fixed secrets in OAuth.

RXWatcher · Oct 13, 2020 · 7157971 · 7157971
1 parent 09fe127
commit 7157971
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -21,7 +21,6 @@ traefik1/*
 !traefik1/rules
 traefik1/rules/*
 !traefik1/rules/*.example
-!traefik1/rules/tls-opts.yml
 !shared
 shared/*
 !shared/*.example
@@ -34,6 +33,7 @@ traefik2/*
 !traefik2/rules
 traefik2/rules/*
 !traefik2/rules/*.example
+!traefik2/rules/tls-opts.yml
 !authelia
 authelia/*
 !authelia/*.example
diff --git a/docker-compose-t2.yml b/docker-compose-t2.yml
@@ -252,9 +252,9 @@ services:
     # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
     # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)"
     environment:
-      - CLIENT_ID=/run/secrets/google_client_id
-      - CLIENT_SECRET=/run/secrets/google_client_secret
-      - SECRET=/run/secrets/oauth_secret
+      - CLIENT_ID_FILE=/run/secrets/google_client_id
+      - CLIENT_SECRET_FILE=/run/secrets/google_client_secret
+      - SECRET_FILE=/run/secrets/oauth_secret
       - COOKIE_DOMAIN=$DOMAINNAME
       - INSECURE_COOKIE=false
       - AUTH_HOST=oauth.$DOMAINNAME
@@ -265,7 +265,7 @@ services:
       - LIFETIME=2592000 # 30 days
       - DEFAULT_ACTION=auth
       - DEFAULT_PROVIDER=google
-    secrets:
+    secrets: # had trouble getting secrets to work
       - google_client_id
       - google_client_secret
       - oauth_secret

diff --git a/traefik2/rules/tls-opts.yml b/traefik2/rules/tls-opts.yml
@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true