pixelifytica/nixos
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Enable sniStrict to drop requests from domains without routers

Browse source
This commit is contained in:
Evie Litherland-Smith 2023-05-30 12:13:03 +01:00
parent 15c427f812
commit 7b66f284f6
1 changed files with 23 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
services/traefik/default.nix
View file

@ -25,19 +25,23 @@
}; };
}; };
}; };
dynamicConfigOptions.http = { dynamicConfigOptions = {
routers.api = { tls.options.default.sniStrict = true;
http = {
routers = {
api = {
rule = "Host(`traefik.xenia.me.uk`)"; rule = "Host(`traefik.xenia.me.uk`)";
entryPoints = ["http" "https"]; entryPoints = ["http" "https"];
service = "api@internal"; service = "api@internal";
middlewares = ["auth"]; middlewares = ["auth"];
tls = {certResolver = "default";}; tls = {certResolver = "default";};
}; };
routers.api-internal = { api-internal = {
rule = "ClientIP(`192.168.0.0/16`)"; rule = "ClientIP(`192.168.0.0/16`)";
entryPoints = ["traefik-internal"]; entryPoints = ["traefik-internal"];
service = "api@internal"; service = "api@internal";
}; };
};
middlewares = { middlewares = {
auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."]; auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
hsts.headers = { hsts.headers = {
@ -47,6 +51,7 @@
}; };
}; };
}; };
};
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [80 443 8080]; allowedTCPPorts = [80 443 8080];