mirror of
https://github.com/Alkatrazz24/Funk-lab.git
synced 2026-07-08 16:24:43 +02:00
feat(security): durcissement edge funklab.online (vraie IP client + rate-limit + TLS/headers) (#95)
- Traefik externalTrafficPolicy: Local → IP client réelle (fin du SNAT kube-proxy) - middleware ratelimit par IP (100/min, burst 200) sur les 6 routes publiques - middleware security-headers (HSTS, nosniff, X-Frame SAMEORIGIN, Referrer-Policy) - TLSOption globale : plancher TLS 1.2 + ciphers modernes - Guacamole REMOTE_IP_VALVE → ban anti-bruteforce par IP (fin du piège n°5) - nftables : fermeture des ports Internet legacy 9080/9081 (HTTP clair redondant) - allowCrossNamespace pour mutualiser les middlewares depuis infra - docs : section Durcissement (public-domain.md) + CAA OVH + pièges à jour Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
a13b5a70cd
commit
fe0aa89ffa
13 changed files with 178 additions and 19 deletions
|
|
@ -11,6 +11,11 @@ spec:
|
|||
routes:
|
||||
- match: Host(`auth.funklab.online`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: security-headers
|
||||
namespace: infra
|
||||
- name: ratelimit
|
||||
namespace: infra
|
||||
services:
|
||||
- name: authentik
|
||||
port: 9000
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue