Prerequisites

To implement the steps in this guide, you need a Docker environment configured in Swarm Mode. If you’re unsure how to set one up, check out my previous tutorial on this topic.

Additionally, Traefik must be installed as a load balancer, as it facilitates the addition of security headers to your web requests. I have also created a tutorial detailing how to integrate Traefik into your Docker Swarm setup.

If you're not utilizing Docker Swarm and prefer a standalone installation, you can still set up Traefik as a load balancer on a single machine. Instructions for this can be found in another of my tutorials, but be aware that you will need to modify the docker-compose files for environments outside of Docker Swarm. Feel free to ask questions in the comments, and I’ll respond as best as I can.

Implementing Security Headers

One invaluable resource is the Mozilla Observatory, which has supported over 240,000 websites by educating developers, system admins, and security experts on safe site configuration.

I conducted a security assessment for my site and received the following results:

After reviewing the Traefik documentation, I identified several crucial headers to implement in my environment. To incorporate these headers, I added a new middleware in my Traefik docker-compose.yml configuration.

Following this addition, I updated the Traefik service operating in my Docker Swarm.

This change enabled the middleware to be utilized across all services deployed within my swarm and managed by Traefik. I simply had to include a specific line in the labels section of my docker-compose.yml.

After restarting the simpleweb service, I conducted another test and received a B score due to a specific error:

I researched and found the appropriate Traefik header for Content Security Policy (CSP). I also crafted a strict CSP directive and added it to the header value.

I specifically allowed access to https://i.postimg.cc for image sources, as that’s where the only image used on https://ftp.f1nalboss.de is hosted. Given the strict nature of this header, I chose not to create a global middleware for it. Instead, I upgraded the relevant service by adding this line to the simpleweb service and adjusting the middleware.

After restarting the service, I ran another check and finally achieved an A+ rating!

Hardening My Website

In my efforts to further harden my server, I ran a check on hardenize.com and received unsatisfactory results for TLS and HSTS.

Since I had already adjusted the Traefik headers for HSTS, the remaining step was to submit my domain to hstspreload to resolve the HSTS issue.

IMPORTANT: Before submitting your website to hstspreload.org, consider this decision carefully. There can be complications if you cannot meet all requirements—read more about it here.

Addressing the TLS issue required more work. I modified the Traefik configuration to ensure the minimum TLS version is 1.2, rather than the default 1.0. To enforce a minimum TLS version, I introduced a file provider in my Traefik docker-compose.yml under the command section.

Subsequently, I created a new configuration file (named tls.toml) that includes an entry [tls-options] to set the minimum TLS version to 1.2. I also incorporated strong cipher suites (check here for details on cipher suites).

This setup guarantees that Traefik will use at least TLS 1.2 along with the specified cipher suites. I selected six cipher suites to ensure three are for TLS 1.2 and three for TLS 1.3, all of which are deemed secure.

I saved this file in the ./configuration/ directory and updated the volume section of my Traefik docker-compose.yml.

After that, I restarted the Traefik instance.

The final step involved activating the minimum TLS version within the simpleweb service by adding a new label.

After restarting the simpleweb service, I retested on Hardenize and Mozilla, achieving the desired results:

• https://www.hardenize.com/report/f1nalboss.de/1628027450
• https://observatory.mozilla.org/analyze/ftp.f1nalboss.de

There is also an informative assessment available at ssl-labs that checks certificates. With the new configuration, I received an A+ rating:

• https://www.ssllabs.com/ssltest/analyze.html?d=ftp.f1nalboss.de

Conclusion

To streamline the process, you can utilize this docker-compose.yml and run it within any Docker Swarm as a www-stack service.

I hope this guide proves useful and empowers you to secure your website while enhancing trust through security headers and optimizing SSL configurations.

I welcome your feedback and insights. If you already have a Traefik setup with different headers/middleware or alternative cipher suites, please share your experience. Additionally, if you have any questions, feel free to leave them below, and I will respond as time allows.

Written by

Paul Knulst Husband, father of two, geek, lifelong learner, tech enthusiast & software engineer

Say Hello on: Twitter, LinkedIn, GitHub