refactor(proxy): improve traefik configuration

services/traefik/docker-compose.yml

@@ -72,8 +72,9 @@ services:
 
       ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
       - --providers.docker=true
+      - --providers.docker.swarmMode=false
+      - --providers.docker.exposedByDefault=false
       - --providers.docker.watch=true
-      - --providers.docker.exposedbydefault=false
       - --providers.docker.network=traefik-network
       - --providers.file.directory=/srv/traefik/rules
       - --providers.file.watch=true
@@ -87,6 +88,12 @@ services:
       # Add Let's Encrypt as default certresolver for all services
       - --entrypoints.websecure.http.tls=true
       - --entrypoints.websecure.http.tls.certresolver=letsencrypt
+      - --entrypoints.websecure.http.tls.domains[0].main=*.${DOMAIN1}
+      - --entrypoints.websecure.http.tls.domains[0].sans=${DOMAIN1}
+      - --entrypoints.websecure.http.tls.domains[1].main=*.${DOMAIN2}
+      - --entrypoints.websecure.http.tls.domains[1].sans=${DOMAIN2}
+      - --entrypoints.websecure.http.tls.domains[2].main=*.${DOMAIN3}
+      - --entrypoints.websecure.http.tls.domains[2].sans=${DOMAIN3}
 
       ## Global HTTP -> HTTPS redirection - https://blog.jensknipper.de/blog/traefik-http-to-https-redirect ##
       # - --entryPoints.web.http.redirections.entryPoint.to=websecure
@@ -129,7 +136,7 @@ services:
       # - traefik.http.routers.http-catchall.middlewares=redirect-to-https
       # - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
 
-      # Global wildcard certificates
+      # Force global wildcard certificates generation
       - traefik.http.routers.wildcard-certs.entrypoints=websecure
       - traefik.http.routers.wildcard-certs.tls.certresolver=letsencrypt
       - traefik.http.routers.wildcard-certs.tls.domains[0].main=*.${DOMAIN1}

services/traefik/rules/rules.yml

@@ -3,18 +3,24 @@ tls:
   options:
     default:
       minVersion: VersionTLS12
-      curvePreferences:
-        - secp521r1
-        - secp384r1
       sniStrict: true
       cipherSuites:
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
         - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
         - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      alpnProtocols:
+        - h2
+        - http/1.1
     mintls13:
       minVersion: VersionTLS13
 
@@ -26,6 +32,23 @@ http:
         scheme: https
         permanent: true
 
+    non-www-redirect:
+      redirectregex:
+        regex: "^https?://www\\.(.+)"
+        replacement: "https://${1}"
+        permanent: true
+
+    www-redirect:
+      redirectregex:
+        regex: "^https?://(?:www\\.)?(.+)"
+        replacement: "https://www.${1}"
+        permanent: true
+
+    compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
     cors-allow-all:
       headers:
         accessControlAllowOriginList: ["*"]
@@ -37,15 +60,15 @@ http:
 
     security-headers:
       headers:
+        addVaryHeader: true
         forceSTSHeader: true
         browserXssFilter: true
         contentTypeNosniff: true
         frameDeny: true
         sslRedirect: true
-        #  HSTS Configuration
         stsIncludeSubdomains: true
         stsPreload: true
         stsSeconds: 31536000
+        customFrameOptionsValue: SAMEORIGIN
         customRequestHeaders:
-          X-Frame-Options: "SAMEORIGIN"
-        customFrameOptionsValue: "SAMEORIGIN"
+          X-Frame-Options: SAMEORIGIN