Enable sniStrict to drop requests from domains without routers

2023-05-30 12:13:03 +01:00 · 2023-05-30 12:13:03 +01:00 · 7b66f284f6
parent 15c427f812
commit 7b66f284f6
1 changed files with 23 additions and 18 deletions
--- a/services/traefik/default.nix
+++ b/services/traefik/default.nix
@ -25,19 +25,23 @@
        };
      };
    };
-    dynamicConfigOptions.http = {
-      routers.api = {
+    dynamicConfigOptions = {
+      tls.options.default.sniStrict = true;
+      http = {
+        routers = {
+          api = {
            rule = "Host(`traefik.xenia.me.uk`)";
            entryPoints = ["http" "https"];
            service = "api@internal";
            middlewares = ["auth"];
            tls = {certResolver = "default";};
          };
-      routers.api-internal = {
+          api-internal = {
            rule = "ClientIP(`192.168.0.0/16`)";
            entryPoints = ["traefik-internal"];
            service = "api@internal";
          };
+        };
        middlewares = {
          auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
          hsts.headers = {
@ -47,6 +51,7 @@
        };
      };
    };
+  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [80 443 8080];