Common TLS config for all services

lonix · June 7, 2023, 4:15pm

I define custom TLS options in my dynamic config file:

tls:
  options:
    intermediate:    # https://ssl-config.mozilla.org/#server=traefik&config=intermediate&hsts=false
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Then I want to associate it with all https traffic. So for every service I do this:

labels:
  - traefik.http.routers.service1.tls=true
  - traefik.http.routers.service1.tls.options=intermediate@file

But I've seen examples which define options in the static config in docker-compose.yml.

So can someone please confirm that if I do this instead:

command:
  - --entrypoints.websecure.http.tls=true
  - --entrypoints.websecure.http.tls.options=intermediate@file

...then that will apply to all services that use websecure entrypoint, and I don't need to repeat that for every service?

cakiwi · June 8, 2023, 12:10pm

For every service that entrypoint, correct.

An even simpler way is to rename intermediate to default in the dynamic config then you don't even need that option.

lonix · June 8, 2023, 12:12pm

Thank you.

Is default documented anywhere? I wonder what default settings I would be overriding with mine.

cakiwi · June 8, 2023, 12:14pm

You're welcome.

Indeed it is documented: Traefik TLS Documentation - Traefik

First blue box under 'TLS Options'

lonix · June 8, 2023, 12:17pm

~~Yes I saw that bit - but it doesn't actually define the default settings.~~ Ah ok, the defaults are defined further down the page, within each section.

However the ones I'm using come from Mozilla's "intermediate" suite, which are rock solid (we've used them for years in nginx). So it's not a big issue.

cakiwi · June 8, 2023, 12:20pm

I've used them in the past and it certainly did set the defaults, specifically I've used it to both restrict to TSL1.2 and TLS1.3 using PFS ciphers.

lonix · June 8, 2023, 12:37pm

Oh yeah! Mozilla's "intermediate" config (above) just gave me an "A" on SSL Labs.

(Might be interesting to also test and compare with traefik's default tls settings.)

lonix · June 8, 2023, 12:51pm

Only problem is it also detects TRAEFIK DEFAULT CERT . Unsure how to disable that.

I'll work on that separately.

cakiwi · June 8, 2023, 4:35pm

Spoiler, its not good. IIRC it gets a T or F

cakiwi · June 8, 2023, 4:36pm

That is an artifact of how they test. You can use strict sni checking to deny it.

lonix · June 10, 2023, 3:11am

I tried the traefik default, and I got an A. How about that.

lonix · June 10, 2023, 3:13am

I enabled strict sni but the default cert is still served.

I added a feature request to the repo for an option to disable this behaviour. Anyone stumbling on this please upvote that issue if it matters to you.

system · June 13, 2023, 3:14am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik docker config for tls options Traefik v2 docker , file	17	7841	February 16, 2021
Reliably set TLS options with the docker provider Traefik v2 docker	1	1151	April 3, 2022
TLS configuration confusion Traefik v2 docker , file , tcp	3	426	January 31, 2023
Unable to force VersionTLS12 Traefik v2 docker	3	1008	January 29, 2020
Is it possible to add multiple TLS options to a particular route? Traefik v2 docker , file	7	899	October 21, 2021

Common TLS config for all services

Related Topics