Enable sniStrict to drop requests from domains without routers

2023-05-30 12:13:03 +01:00 · 2023-05-30 12:13:03 +01:00 · 7b66f284f6
parent 15c427f812
commit 7b66f284f6
1 changed files with 23 additions and 18 deletions
--- a/services/traefik/default.nix
+++ b/services/traefik/default.nix
@ -25,24 +25,29 @@
        };
      };
    };
-    dynamicConfigOptions.http = {
-      routers.api = {
-        rule = "Host(`traefik.xenia.me.uk`)";
-        entryPoints = ["http" "https"];
-        service = "api@internal";
-        middlewares = ["auth"];
-        tls = {certResolver = "default";};
-      };
-      routers.api-internal = {
-        rule = "ClientIP(`192.168.0.0/16`)";
-        entryPoints = ["traefik-internal"];
-        service = "api@internal";
-      };
-      middlewares = {
-        auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
-        hsts.headers = {
-          stsSeconds = "31536000";
-          stsIncludeSubdomains = true;
+    dynamicConfigOptions = {
+      tls.options.default.sniStrict = true;
+      http = {
+        routers = {
+          api = {
+            rule = "Host(`traefik.xenia.me.uk`)";
+            entryPoints = ["http" "https"];
+            service = "api@internal";
+            middlewares = ["auth"];
+            tls = {certResolver = "default";};
+          };
+          api-internal = {
+            rule = "ClientIP(`192.168.0.0/16`)";
+            entryPoints = ["traefik-internal"];
+            service = "api@internal";
+          };
+        };
+        middlewares = {
+          auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
+          hsts.headers = {
+            stsSeconds = "31536000";
+            stsIncludeSubdomains = true;
+          };
        };
      };
    };