karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add traefik security headers, short url

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-07-28 11:59:19 +01:00
parent 4e80c1a890
commit 084fda4ba6
2 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
View File

@@ -72,8 +72,17 @@ in
environmentFiles = [ hmConfig.sops.templates.shlink-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.shlink.rule=Host(`url.karaolidis.com`)"
"traefik.http.routers.shlink.middlewares=authelia@docker"
"traefik.http.routers.shlink-short.rule=Host(`u.karaolidis.com`)"
"traefik.http.routers.shlink-short.middlewares=redirect-shlink-short@docker"
"traefik.http.routers.shlink-short.service=noop@internal"
"traefik.http.middlewares.redirect-shlink-short.redirectregex.regex=^https://u\.karaolidis\.com(/.*)?$"
"traefik.http.middlewares.redirect-shlink-short.redirectregex.replacement=https://url.karaolidis.com$\${1}"
"traefik.http.middlewares.redirect-shlink-short.redirectregex.permanent=true"
];
};

22
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -72,7 +72,6 @@ in
"--entrypoints.http.http.redirections.entryPoint.to=https"
"--entrypoints.http.http.redirections.entryPoint.scheme=https"
"--entryPoints.http.http3"
"--entrypoints.http.forwardedHeaders.insecure=true"
"--entryPoints.https.address=:443"
"--entryPoints.https.asDefault=true"
@@ -81,10 +80,9 @@ in
"--entrypoints.https.http.tls.domains[0].main=karaolidis.com"
"--entrypoints.https.http.tls.domains[0].sans=*.karaolidis.com,*.tunnel.karaolidis.com,*.gaming.karaolidis.com"
"--entrypoints.https.http.tls.domains[1].main=krlds.com"
"--entrypoints.https.http.tls.domains[1].sans=*.krlds.com,*.tunnel.krlds.com,*.gaming.krlds.com"
"--entrypoints.https.http.middlewares=compress@docker"
"--entrypoints.https.http.tls.domains[1].sans=*.krlds.com"
"--entryPoints.https.http3"
"--entrypoints.https.forwardedHeaders.insecure=true"
"--entrypoints.https.http.middlewares=compress@docker,security-headers@docker"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
@@ -104,8 +102,22 @@ in
"traefik.http.routers.traefik-api.service=api@internal"
"traefik.http.routers.traefik-api.middlewares=authelia@docker"
"traefik.http.routers.krlds.rule=HostRegexp(`^(.+\.)?krlds\.com$`)"
"traefik.http.routers.krlds.middlewares=redirect-krlds-to-karaolidis@docker"
"traefik.http.routers.krlds.service=noop@internal"
"traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.regex=^https://([^/]+\.)?krlds\.com(/.*)?$"
"traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.replacement=https://$\${1}karaolidis.com$\${2}"
"traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.permanent=true"
"traefik.http.middlewares.compress.compress=true"
# TODO: Middlewares: Headers (Security + Performance)
"traefik.http.middlewares.security-headers.headers.referrerPolicy=strict-origin-when-cross-origin"
"traefik.http.middlewares.security-headers.headers.stsSeconds=63072000"
"traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
"traefik.http.middlewares.security-headers.headers.stsPreload=true"
"traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
"traefik.http.middlewares.security-headers.headers.frameDeny=true"
];
environmentFiles = [ hmConfig.sops.templates.traefik-env.path ];
};