Enhance Your Website Security with Traefik and Security Headers
Written on
Chapter 1: Introduction to Website Security
In today's digital landscape, maintaining a strong security score on various websites is crucial. This tutorial outlines how I leveraged Traefik to enhance my website's security.
Preconditions
To implement the strategies discussed in this tutorial, you'll need a Docker environment set up in Docker Swarm Mode. If you're unsure how to establish this, refer to my previous tutorial on setting up Docker Swarm.
Additionally, Traefik must be installed as a load balancer, which is essential for appending security headers to your web requests. I have also provided a tutorial on integrating Traefik into your Docker Swarm setup.
If you prefer not to use Docker Swarm, you can install Traefik as a load balancer on a standalone machine. Instructions for this setup are available in another tutorial. Keep in mind that for non-Docker Swarm environments, adjustments to the docker-compose files will be necessary. Feel free to reach out in the comments if you have any questions, and I'll do my best to assist.
Chapter 2: Implementing Security Headers
A valuable resource for enhancing website security is the Mozilla Observatory, which has assisted over 240,000 websites in helping developers, system administrators, and security experts configure their sites securely.
I checked my website using this tool and received valuable feedback. After reviewing Traefik's documentation, I identified essential headers to implement in my setup:
To incorporate these headers into my Traefik installation, I added a new middleware entry to the traefik docker-compose.yml file. Following this, I updated my Traefik service running within Docker Swarm.
This modification allowed me to utilize the middleware for every service deployed in my swarm managed by Traefik. To achieve this, I included the necessary line in the labels section of the docker-compose.yml file.
After restarting the simpleweb service, I conducted another test and received a B score due to a specific error. I researched and discovered the correct Traefik header for Content Security Policy (CSP). I crafted a strict CSP directive and incorporated it into the header value.
After restarting the service, I ran another check and proudly achieved an A+ score!
The first video titled "Boost Performance and Security with Traefik Middlewares and Chains" delves into how to enhance your website's performance and security using Traefik's middlewares effectively.
Chapter 3: Strengthening Your Website
To further fortify my server, I evaluated my site using hardenize.com and received unsatisfactory results for TLS and HSTS. Having previously adjusted the Traefik headers for HSTS, the final step involved submitting my domain to hstspreload to resolve the HSTS issue.
Important Notice: Before submitting your site to hstspreload.org, consider the implications carefully. Failure to meet all requirements can lead to complications; more information can be found here.
Addressing the TLS issue required more effort. I needed to modify the Traefik configuration to ensure the minimum TLS version was set to 1.2, rather than the default 1.0. To set this minimum TLS version, I added a file provider to my Traefik installation within the command section of the traefik docker-compose.yml:
Next, I created a new configuration file (named tls.toml) containing an entry for [tls-options] to set the minimum TLS version to 1.2. I also incorporated robust cipher suites (refer to this for insights on cipher suites).
This configuration guarantees that Traefik will use at least TLS 1.2 with the specified cipher suites. I selected six cipher suites—three for TLS 1.2 and three for TLS 1.3—deemed safe.
I saved the configuration in the ./configuration/ folder and updated the volume section of the traefik docker-compose.yml file. Afterward, I restarted the Traefik instance.
The final step involved activating the minimum TLS version within the simpleweb service by adding a new label:
Upon restarting the simpleweb service, I retested on Hardenize and Mozilla, achieving the desired results:
Additionally, an informative test at ssl-labs checks certificates. With the updated configuration, I also received an A+ rating:
Closing Thoughts
To streamline the process, you can use this docker-compose.yml and deploy it within any Docker Swarm as the www-stack service.
I hope this tutorial proves useful and empowers you to secure your website while boosting trust through security headers and optimized SSL usage.
I welcome your feedback and insights. If you currently operate a Traefik installation with different headers/middleware or alternative cipher suites, please share your experiences in the comments. Should you have any questions, feel free to ask below. I will strive to respond as best I can.
The second video titled "Traefik with CrowdSec - the ULTIMATE SECURITY layer! - Tutorial" provides a deep dive into enhancing your website's security layer with CrowdSec and Traefik.