nucleo000/RepoDructor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mejorando configuracion de seguridad
All checks were successful
build-and-deploy / build (push) Successful in 26s
Details
build-and-deploy / deploy (push) Successful in 3s
Details

Browse Source
This commit is contained in:
josedario87
2025-10-11 18:06:11 -06:00
parent 100ba45f57
commit d966fab4ca
3 changed files with 167 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docker-compose.yml
View File

@@ -16,26 +16,60 @@ services:
# Habilitar Traefik
- "traefik.enable=true"
# Router
# ==========================================
# Router público para recursos PWA (sin autenticación)
# ==========================================
- "traefik.http.routers.musica-nucleoriofrio-public.rule=Host(`musica.nucleoriofrio.com`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/assets`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/manifest.webmanifest`) || Path(`/manifest.json`) || Path(`/favicon.ico`) || Path(`/logo.png`) || Path(`/logo-192.png`) || Path(`/logo-512.png`) || Path(`/logo-maskable-512.png`) || Path(`/icon.svg`))"
- "traefik.http.routers.musica-nucleoriofrio-public.entrypoints=websecure"
- "traefik.http.routers.musica-nucleoriofrio-public.tls.certresolver=letsencrypt"
- "traefik.http.routers.musica-nucleoriofrio-public.priority=100"
# Solo headers de seguridad y cache para assets PWA
- "traefik.http.routers.musica-nucleoriofrio-public.middlewares=musica-pwa-headers"
- "traefik.http.routers.musica-nucleoriofrio-public.service=musica-nucleoriofrio-service"
# ==========================================
# Router protegido para el resto de la app
# ==========================================
- "traefik.http.routers.musica-nucleoriofrio.rule=Host(`musica.nucleoriofrio.com`)"
- "traefik.http.routers.musica-nucleoriofrio.entrypoints=websecure"
- "traefik.http.routers.musica-nucleoriofrio.tls.certresolver=letsencrypt"
- "traefik.http.routers.musica-nucleoriofrio.priority=50"
# Middlewares (orden: auth -> headers -> body-size)
- "traefik.http.routers.musica-nucleoriofrio.middlewares=authentik-forward-auth@file,musica-headers,musica-body-size"
- "traefik.http.routers.musica-nucleoriofrio.service=musica-nucleoriofrio-service"
# Middleware: Headers personalizados
# ==========================================
# Middleware: Headers para assets PWA (sin cache agresivo)
# ==========================================
- "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
- "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
- "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
# Cache controlado por el Service Worker, no por Traefik
- "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.Cache-Control=public, max-age=0, must-revalidate"
# Permitir CORS para PWA
- "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolallowmethods=GET,OPTIONS"
- "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolalloworiginlist=https://musica.nucleoriofrio.com"
- "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolmaxage=100"
# ==========================================
# Middleware: Headers personalizados para app protegida
# ==========================================
- "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
- "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN"
- "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
- "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
- "traefik.http.middlewares.musica-headers.headers.customresponseheaders.Cache-Control=public, max-age=3600"
# Removed global cache header - let app control caching
# ==========================================
# Middleware: Tamaño máximo de body (100MB para subir archivos)
# ==========================================
- "traefik.http.middlewares.musica-body-size.buffering.maxrequestbodybytes=104857600"
# ==========================================
# Service
# ==========================================
- "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.server.port=3000"
- "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.passhostheader=true"