ansible/traefik
ansible/traefik
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
traefik/templates/traefik/config.yml.j2

95 lines
3.2 KiB
Django/Jinja
Raw Blame History

entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: "websecure"
scheme: "https"
websecure:
address: ":443"
http:
encodedCharacters:
allowEncodedSlash: true
transport:
respondingTimeouts:
readTimeout: 0
writeTimeout: 0
idleTimeout: 0
certificatesResolvers:
transip:
acme:
dnsChallenge:
provider: "transip"
email: "{{ traefik_letsencrypt_email }}"
storage: "/acme.json"
caServer: "https://acme-v02.api.letsencrypt.org/directory"
{% if traefik_routes | selectattr('waf', 'equalto', true) | list | length > 0 %}
experimental:
plugins:
coraza:
moduleName: "github.com/jcchavezs/coraza-http-wasm-traefik"
version: "v0.3.0"
{% endif %}
providers:
file:
filename: "/traefik.yml"
watch: true
http:
routers:
{% for item in traefik_routes %}
{{ item.service }}:
rule: "Host(`{{ item.name }}`)"
entryPoints:
- "websecure"
service: "{{ item.service }}-svc"
{% if item.waf | default(false) %}
middlewares:
- "waf"
{% endif %}
tls:
certResolver: "transip"
{% endfor %}
{% if traefik_routes | selectattr('waf', 'defined') | selectattr('waf') | list | length > 0 %}
middlewares:
waf:
plugin:
coraza:
directives:
- "SecRuleEngine On"
- "SecRequestBodyAccess Off"
- "SecResponseBodyAccess Off"
- "SecDefaultAction \"phase:1,log,auditlog,deny,status:403\""
- "SecDefaultAction \"phase:2,log,auditlog,deny,status:403\""
- "SecAction \"id:900000,phase:1,pass,nolog,setvar:tx.paranoia_level=1\""
- "SecAction \"id:900110,phase:1,pass,nolog,setvar:tx.inbound_anomaly_score_threshold=5\""
- "SecAction \"id:900200,phase:1,pass,nolog,setvar:tx.allowed_methods=GET POST PUT PATCH DELETE HEAD OPTIONS\""
- "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf"
- "Include @owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf"
- "Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf"
- "Include @owasp_crs/REQUEST-913-SCANNER-DETECTION.conf"
- "Include @owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
- "Include @owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf"
- "Include @owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
- "Include @owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
- "Include @owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
- "Include @owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
- "Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
- "Include @owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
- "Include @owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
- "Include @owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"
- "Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"
{% endif %}
services:
{% for item in traefik_routes %}
{{ item.service }}-svc:
loadBalancer:
servers:
- url: "{{ item.proto }}://{{ item.host }}:{{ item.port }}"
{% endfor %}
Reference in a new issue View git blame Copy permalink