STABLE: Reconstrucción integral de infraestructura, limpieza de middlewares obsoletos y blindaje de Traefik

traefik/docker-compose.yml

@@ -1,9 +1,18 @@
 # ==============================================================================
-# TRAEFIK V3 - INFRAESTRUCTURA COMPLETA (OGNIRNAS)
+# OGNIRNAS - INFRAESTRUCTURA CORE: TRAEFIK V3 & DOCKER-SOCKET-PROXY
 # ==============================================================================
+# Última revisión: 2026-01-06
+# Propietario: Ognir (UID 1032 / GID 100)
+# Objetivo: Reverse Proxy con autenticación reforzada y aislamiento del socket.
+# ==============================================================================
+
 version: "3.9"
 
 services:
+  # ----------------------------------------------------------------------------
+  # SERVICE: traefik-socket-proxy
+  # Capa de seguridad que evita el acceso directo de Traefik al socket de Docker.
+  # ----------------------------------------------------------------------------
   traefik-socket-proxy:
     image: tecnativa/docker-socket-proxy:latest
     container_name: traefik-socket-proxy
@@ -18,45 +27,54 @@ services:
       - SERVICES=1
       - VERSION=1
       - EVENTS=1
-      - CONNECT_TIMEOUT=30
-      - SERVER_TIMEOUT=30
-      - CLIENT_TIMEOUT=30
 
+  # ----------------------------------------------------------------------------
+  # SERVICE: traefik (v3.0)
+  # Orquestador principal. Gestiona TLS y Dashboard seguro.
+  # ----------------------------------------------------------------------------
   traefik:
     image: traefik:v3.0
     container_name: traefik
     restart: always
-    user: "1032:100"
+    user: "1032:100" # Ejecución bajo el usuario Ognir para permisos de archivos
     depends_on:
       traefik-socket-proxy:
         condition: service_started
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
-      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
-      - "traefik.http.routers.traefik-dash.tls=true"
-      - "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.traefik-dash.service=api@internal"
-      # Mantenemos el middleware pero asegúrate de limpiar caché del navegador
-      - "traefik.http.routers.traefik-dash.middlewares=seguridad-general@file"
-      - "traefik.docker.network=services-internal-net"
+    
     networks:
       proxy-macvlan-net:
-        ipv4_address: 192.168.178.25
-      services-internal-net:
-    healthcheck:
-      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/ping"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 20s
+        ipv4_address: 192.168.178.25 # IP estática en red local
+      services-internal-net: {}
+
     volumes:
       - /volume1/docker/configs/traefik:/etc/traefik:ro
       - /volume1/docker/data/traefik:/letsencrypt
       - /volume1/docker/data/traefik/logs:/var/log/traefik
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=services-internal-net"
+      
+      # --- CONFIGURACIÓN DEL ROUTER (DASHBOARD) ---
+      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
+      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dash.tls=true"
+      - "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
+      
+      # --- SERVICIO INTERNO (API V3) ---
+      - "traefik.http.routers.traefik-dash.service=api@internal"
+      
+      # --- MIDDLEWARES (ORDEN PRIORITARIO: LOGIN > SEGURIDAD) ---
+      # Colocamos auth-dashboard primero para asegurar que el prompt salte antes 
+      # de aplicar las cabeceras de seguridad que podrían bloquearlo en caché.
+      - "traefik.http.routers.traefik-dash.middlewares=auth-dashboard@file,security-headers@file"
+
     command:
       - "--configFile=/etc/traefik/traefik.yml"
 
+# ------------------------------------------------------------------------------
+# REDES EXTERNAS PRE-EXISTENTES
+# ------------------------------------------------------------------------------
 networks:
   proxy-macvlan-net:
     external: true

traefik/dynamic/access-control.yml

@@ -1,12 +0,0 @@
-# ==============================================================================
-# CONTROL DE ACCESO PERIMETRAL (WHITELIST)
-# ==============================================================================
-http:
-  middlewares:
-    whitelist-interna:
-      ipAllowList:
-        sourceRange:
-          - "127.0.0.1/32"
-          - "192.168.178.0/24"
-          - "100.64.0.0/10"
-          - "172.20.0.0/16"

traefik/dynamic/middlewares.yml

@@ -1,17 +0,0 @@
-# ==============================================================================
-# MIDDLEWARES DE SEGURIDAD (CONFIGURACIÓN DINÁMICA)
-# ==============================================================================
-
-http:
-  middlewares:
-    seguridad-general:
-      headers:
-        # Cabeceras de seguridad recomendadas (HSTS, XSS, etc.)
-        forceSTSHeader: true
-        stsSeconds: 31536000
-        stsIncludeSubdomains: true
-        stsPreload: true
-        contentTypeNosniff: true
-        browserXssFilter: true
-        frameDeny: true # Evita que tu sitio sea cargado en un iframe (protección clickjacking)
-        referrerPolicy: "same-origin"

traefik/dynamic/whitelist.yml

@@ -0,0 +1,12 @@
+# ################################################################# #
+# MIDDLEWARE DE WHITELIST - ACCESO RESTRINGIDO OGNIRNAS             #
+# ################################################################# #
+http:
+  middlewares:
+    muro-seguro:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"        # Localhost (interno)
+          - "192.168.178.0/24"    # Tu red local de casa
+          - "100.64.0.0/10"       # Todo el rango de Tailscale
+          - "172.16.0.0/12"       # Redes internas de Docker