From 21d7a347da4189c754277d277d25b0585f349473 Mon Sep 17 00:00:00 2001 From: groales Date: Mon, 1 Dec 2025 11:15:15 +0100 Subject: [PATCH] =?UTF-8?q?Habilitar=20configuraci=C3=B3n=20din=C3=A1mica:?= =?UTF-8?q?=20provider=20file=20+=20directorio=20dynamic=20con=20middlewar?= =?UTF-8?q?es?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker-compose.yaml | 1 + dynamic/README.md | 41 +++++++++++++++++++++++++++++++++++++++ dynamic/middlewares.yml | 43 +++++++++++++++++++++++++++++++++++++++++ traefik.yml | 6 +++--- 4 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 dynamic/README.md create mode 100644 dynamic/middlewares.yml diff --git a/docker-compose.yaml b/docker-compose.yaml index 4e78c4d..1b21791 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,6 +11,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/traefik.yml:ro - ./letsencrypt:/letsencrypt + - ./dynamic:/etc/traefik/dynamic:ro environment: TZ: "Europe/Madrid" networks: diff --git a/dynamic/README.md b/dynamic/README.md new file mode 100644 index 0000000..77f1e53 --- /dev/null +++ b/dynamic/README.md @@ -0,0 +1,41 @@ +# Configuración Dinámica de Traefik + +Este directorio contiene configuración que Traefik recarga automáticamente sin reiniciar el contenedor. + +## Archivos + +- **middlewares.yml**: Middlewares reutilizables (headers seguridad, rate limit, auth, etc.) + +## Uso + +### Aplicar middleware a un servicio + +En el `docker-compose.yaml` de tu servicio: + +```yaml +services: + mi-servicio: + labels: + - "traefik.enable=true" + - "traefik.http.routers.mi-servicio.rule=Host(`app.tudominio.com`)" + - "traefik.http.routers.mi-servicio.entrypoints=websecure" + - "traefik.http.routers.mi-servicio.tls.certresolver=letsencrypt" + - "traefik.http.routers.mi-servicio.middlewares=security-headers@file,rate-limit@file" +``` + +**Nota:** El sufijo `@file` indica que el middleware viene de configuración dinámica. + +### Cadena de middlewares + +Puedes combinar varios: +```yaml +- "traefik.http.routers.app.middlewares=security-headers@file,rate-limit@file,ip-whitelist@file" +``` + +## Recarga automática + +Traefik detecta cambios en este directorio y recarga sin reiniciar. Espera ~10 segundos tras editar. + +## Ejemplos adicionales + +Consulta la wiki: https://git.ictiberia.com/groales/traefik/wiki/Middlewares-Seguridad diff --git a/dynamic/middlewares.yml b/dynamic/middlewares.yml new file mode 100644 index 0000000..d2bddd4 --- /dev/null +++ b/dynamic/middlewares.yml @@ -0,0 +1,43 @@ +http: + middlewares: + # Headers de seguridad + security-headers: + headers: + stsSeconds: 63072000 + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + frameDeny: true + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: "strict-origin-when-cross-origin" + customResponseHeaders: + X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" + + # Rate limiting + rate-limit: + rateLimit: + average: 100 + burst: 200 + period: 1m + + # IP Whitelist (ejemplo - ajusta tus IPs) + ip-whitelist: + ipWhiteList: + sourceRange: + - "127.0.0.1/32" + - "10.0.0.0/8" + - "192.168.0.0/16" + + # Autenticación básica (genera hash con: htpasswd -nb usuario password) + # auth-basic: + # basicAuth: + # users: + # - "admin:$apr1$..." + + # Redirect www a root + redirect-www: + redirectRegex: + regex: "^https?://www\\.(.+)" + replacement: "https://${1}" + permanent: true diff --git a/traefik.yml b/traefik.yml index 5e07f28..fa5a6c1 100644 --- a/traefik.yml +++ b/traefik.yml @@ -19,9 +19,9 @@ providers: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false network: proxy - # file: - # directory: /etc/traefik/dynamic - # watch: true + file: + directory: /etc/traefik/dynamic + watch: true # Certificates from an ACME server certificatesResolvers: letsencrypt: