Basic secured configuration for Traefik V2.X

docker-compose.yml

version: '3.5'

services:
  proxy:
    image: traefik:v2.1
    # The official v2.0 Traefik docker image
    container_name: proxy
    networks:
      - traefik
    ports:
      # The HTTP port for letsencrypt http challenge
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      # - "8080:8080"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/test/traefik.yml:/etc/traefik/traefik.yml
      - /home/test/dynamic.yml:/etc/traefik/dynamic.yml
      # Don't miss to mount this volume (see traefik.yml)
      - /home/test/config/traefik/acme:/acme
      # Mount for get logs : don't miss logrotate configuration
      - /home/test/vol/traefik/logs:/var/log/traefik
    labels:
      - "traefik.http.routers.api.rule=Host(`domain.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certresolver=le"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.middlewares=security@file, compression@file, auth@file"


  whoami:
    image: containous/whoami
    container_name: whoami
    networks:
      - traefik
    labels:
      # Router HTTP for https redirection
      - "traefik.http.routers.whoami-http.rule=Host(`domain.com`) && PathPrefix(`/whoami`)"
      # Prefix on middleware
      - "traefik.http.middlewares.whoami-pathprefix.stripprefix.prefixes=/whoami"
      - "traefik.http.routers.whoami-http.entrypoints=web"
      - "traefik.http.routers.whoami-http.middlewares=https-redirect@file"
      # Router HTTPS
      - "traefik.http.routers.whoami.rule=Host(`domain.com`) && Path(`/whoami`)"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=le"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.middlewares=whoami-pathprefix, security@file, compression@file"
      # By default traefik listen port 80 
      #- "traefik.tcp.services.whoami.loadbalancer.server.port=80"
      # !!! Add this label proxy network if container have more one networks
      - "traefik.docker.network=traefik"

      
  whoami2:
    image: jwilder/whoami
    container_name: whoami2
    networks:
      - traefik
    labels:
      - "traefik.http.routers.whoami2.rule=Host(`test-iin.francecentral.cloudapp.azure.com`) && PathPrefix(`/whoami2`)"
      - "traefik.http.middlewares.whoami2-pathprefix.stripprefix.prefixes=/whoami2"
      - "traefik.http.routers.whoami2.tls=true"
      - "traefik.http.routers.whoami2.tls.certresolver=le"
      - "traefik.http.routers.whoami2.entrypoints=websecure"
      - "traefik.http.routers.whoami2.middlewares=whoami2-pathprefix, security@file, compression@file"
      - "traefik.tcp.services.whoami2.loadbalancer.server.port=8000"
      
      - "traefik.http.services.whoami2.loadbalancer.sticky.cookie.name=_testiin-whoami2"
      - "traefik.http.services.whoami2.loadbalancer.sticky.cookie.secure=true"
      - "traefik.http.services.whoami2.loadbalancer.sticky.cookie.httponly=true"
# Commented => Crash whoami2 redirection # Wait next traefik version https://github.com/containous/traefik/pull/6538
#      - "traefik.http.services.whoami2.loadbalancer.sticky.cookie.samesite=lax"


networks:
  traefik:
    name: traefik
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.21.00.1/27

dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
http:
  middlewares:
    auth:
      basicAuth:
        users:
          # echo $(htpasswd -nb user password)
          - "user:$apr1$4uO54hUF$BIqptwqiEu2A1OTpAj/nk."
    compression:
      compress:
        excludedContentTypes:
          - text/event-stream

    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    security:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - PATCH
          - DELETE
        accessControlAllowOrigin: "origin-list-or-null"
        accessControlMaxAge: 100
        addVaryHeader: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        customFrameOptionsValue: "SAMEORIGIN"
        referrerPolicy: "same-origin"
        featurePolicy: "vibrate 'self'"
        stsSeconds: 315360000
        contentSecurityPolicy: default-src 'self'

traefik.logrotate

# /etc/logrotate.d/traefik
# to make log-rotate change take effect launch sudo logrotate /etc/logrotate.d/traefik 
# or reboot 
# Nota : folder /home/test/vol/traefik/logs can't be user owner or public 
/home/test/vol/traefik/logs/*.log {
  size 10M
  rotate 2
  compress
  missingok
  notifempty
  postrotate
    docker kill --signal="USR1" proxy
  endscript
}

traefik.yml

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
  file:
    filename: "/etc/traefik/dynamic.yml"
    watch: true
api:
  dashboard: true
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

log:
#  level: DEBUG
  filePath: /var/log/traefik/traefik.log
  format: json

accessLog:
  filePath: /var/log/traefik/access.log
  format: json
  fields:
    defaultMode: drop
    names:
      StartUTC: keep
      Duration: keep
      OriginStatus: keep
      RequestMethod: keep
      # The remote address in its original form (usually IP:port).
      ClientAddr: keep
    headers:
      defaultMode: drop

#metrics:
#  influxDB:
#    address: "http://traefikinfluxdb:8086"
#    protocol: "http"
#    database: "traefik"

certificatesResolvers:
  le:
    acme:
      email: "monemail.domain.com"
      storage: "/acme/acme.json"
      httpChallenge:
        entryPoint: web