Merge pull request #16 from alan-turing-institute/ssl_labs

Improve TLS configuration

ansible/host_vars/guacamole.yaml

@@ -22,6 +22,7 @@ guac_version: "1.3.0"
 postgres_version: "13.3"
 init_db_file: "{{ ansible_user_dir }}/initdb.sql"
 postgres_volume: "{{ ansible_user_dir }}/postgres"
+traefik_dynamic_config: "{{ ansible_user_dir }}/dynamic_conf.yml"
 traefik_version: "v2.4"
 traefik_acme_volume: "{{ ansible_user_dir }}/acme"
 

ansible/main.yaml

@@ -100,6 +100,14 @@
 
     - name: Docker services
       block:
+        - name: Template traefik dynamic configuration
+          ansible.builtin.template:
+            src: guacamole/traefik_dynamic_conf.yml.j2
+            dest: "{{ traefik_dynamic_config }}"
+            owner: "{{ ansible_user }}"
+            group: "{{ ansible_user }}"
+            mode: 0644
+
         - name: Template docker-compose file
           ansible.builtin.template:
             src: guacamole/docker-compose.yaml.j2

ansible/templates/guacamole/docker-compose.yaml.j2

@@ -42,7 +42,7 @@ services:
 {% if lets_encrypt %}
       - "traefik.http.routers.guacamole.tls.certResolver=le"
 {% endif %}
-      - "traefik.http.routers.guacamole.middleWares=add-guacamole"
+      - "traefik.http.routers.guacamole.middleWares=add-guacamole,hsts-headers@file"
       # Middlewares
       - "traefik.http.middleWares.add-guacamole.addPrefix.prefix=/guacamole"
   reverse_proxy:
@@ -53,12 +53,15 @@ services:
       - 443:443
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - {{ traefik_dynamic_config }}:/dynamic_conf.yml
 {% if lets_encrypt %}
       - {{ traefik_acme_volume }}:/acme
 {% endif %}
     command:
       - "--providers.docker=true"
       - "--providers.docker.exposedByDefault=false"
+      - "--providers.file.filename=/dynamic_conf.yml"
+      - "--providers.file.watch=true"
       - "--entryPoints.web.address=:80"
       - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
       - "--entryPoints.web.http.redirections.entryPoint.scheme=https"