=====Traefik=====

docker-compose.yaml
<code - docker-compose.yaml>
services:

  traefik:
    image: traefik:v2.5
    command:
      - --api.insecure=true
      - --providers.docker=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.email=jonathan763@hotmail.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
      - --providers.file.filename=/etc/traefik/traefik_dynamic_config.yml

    labels:
      # Define the secure headers middleware
      - "traefik.http.middlewares.secure-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.secure-headers.headers.framedeny=true"
      - "traefik.http.middlewares.secure-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.secure-headers.headers.stspreload=true"
      - "traefik.http.middlewares.secure-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.secure-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.secure-headers.headers.accesscontrolallowmethods=GET,POST"
      - "traefik.http.middlewares.secure-headers.headers.accesscontrolalloworiginlist=foobar.com"
      - "traefik.http.middlewares.secure-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.secure-headers.headers.addvaryheader=true"
      - "traefik.http.middlewares.secure-headers.headers.contentsecuritypolicy=script-src 'self'"
      - "traefik.http.middlewares.secure-headers.headers.referrerpolicy=origin-when-cross-origin"

    ports:
      - "8080:8080"
      - "80:80"
      - "443:443"
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik_dynamic_config.yml:/etc/traefik/traefik_dynamic_config.yml:ro
    networks:
      - traefik_default
    restart: always

  nginx1:
    image: nginx:latest
    container_name: nginx1
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx1.rule=Host(`test1.cloche.ca`)"
      - "traefik.http.routers.nginx1.entrypoints=websecure"
      - "traefik.http.routers.nginx1.tls.certresolver=letsencrypt"
    restart: always
    networks:
     - traefik_default

networks:
  traefik_default:
    external: false
  vlan2:
    external: true
</code>

<code - traefik_dynamic_config.yml>
http:
  routers:

    test2:
      entrypoints:
        - "websecure"
      rule: "Host(`test2.cloche.ca`)"
      tls: 
        certResolver: letsencrypt
      service: test2

  services:

    test2:
      loadBalancer:
        servers:
        - url: "http://192.168.22.16:80"

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        # Recommended ciphers for TLSv1.2
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        # Recommended ciphers for TLSv1.3
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    tlsv13only:
      minVersion: VersionTLS13
</code>