Hi,
my target is a server with, for example, nextcloud, mail and some other things.
At the moment, traefik runs with dashboard. Nextcloud rans with https and letsencrypt.
In the settings of nextcloud are some warnings:
* The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy
* The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds
* Your web server is not properly set up to resolve "/.well-known/caldav"
* Your web server is not properly set up to resolve "/.well-known/carddav"
My docker-compose.yaml
version: "3.3"
services:
db:
image: mariadb
container_name: db
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- /home/user/docker/nextcloud/mariadb/db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=xxx
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=nextcloud
- TZ=Europe/Berlin
- PUID=1001
- PGID=1001
restart: always
networks:
- proxy
nextcloud:
image: nextcloud
container_name: nextcloud
depends_on:
- db
volumes:
- /home/user/docker/nextcloud/main:/var/www/html
restart: always
environment:
- PUID=1001
- PGID=1001
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.backend=nextcloud"
- "traefik.http.routers.nextcloud.entrypoints=web"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.xxx.ovh`)"
- "traefik.http.routers.nextcloud.middlewares=https-redirect@file"
- "traefik.http.routers.nextcloud-secure.entrypoints=websecure"
- "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.xxx.ovh`)"
- "traefik.http.routers.nextcloud-secure.tls=true"
- "traefik.http.routers.nextcloud-secure.tls.certresolver=leresolver"
- "traefik.http.routers.nextcloud-secure.service=nextcloud"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
- "traefik.http.routers.nextcloud.tls.options=default"
- "traefik.http.routers.nextcloud.middlewares=https-redirect@file,security-headers@file"
- "traefik.frontend.redirect.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/"
- "traefik.frontend.redirect.permanent=true"
networks:
proxy:
external:
name: traefik_proxy
My traefik.toml:
[global]
checkNewVersion = true
sendAnonymousUsage = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
[api]
[providers.docker]
exposedByDefault = false
[providers.file]
filename = "/etc/traefik/dynamic_conf.toml"
[tls]
[tls.options]
[tls.options.default]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
]
[certificatesResolvers.leresolver.acme]
email = "xxx@gmail.com"
storage = "acme.json"
[certificatesResolvers.leresolver.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
My dynamic_conf.toml
[http.middlewares]
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
[http.middlewares.security-headers.headers]
# CORS
AccessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
AccessControlAllowOrigin = "origin-list-or-null"
AccessControlMaxAge = 100
#AddVaryHeader = true
BrowserXssFilter = true
ContentTypeNosniff = true
ForceSTSHeader = true
FrameDeny = true
SSLRedirect = true
STSIncludeSubdomains = true
STSPreload = true
ContentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
CustomFrameOptionsValue = "SAMEORIGIN"
ReferrerPolicy = "same-origin"
FeaturePolicy = "vibrate 'self'"
STSSeconds = 315360000
SSLLabs still says "Overall Rating B", whats wrong with my configuration?
Thanks for your help