Common TLS config for all services

I define custom TLS options in my dynamic config file:

    intermediate:    #
      minVersion: VersionTLS12

Then I want to associate it with all https traffic. So for every service I do this:

  - traefik.http.routers.service1.tls=true
  - traefik.http.routers.service1.tls.options=intermediate@file

But I've seen examples which define options in the static config in docker-compose.yml.

So can someone please confirm that if I do this instead:

  - --entrypoints.websecure.http.tls=true
  - --entrypoints.websecure.http.tls.options=intermediate@file

...then that will apply to all services that use websecure entrypoint, and I don't need to repeat that for every service?

For every service that entrypoint, correct.

An even simpler way is to rename intermediate to default in the dynamic config then you don't even need that option.

1 Like

Thank you.

Is default documented anywhere? I wonder what default settings I would be overriding with mine.

You're welcome.

Indeed it is documented: Traefik TLS Documentation - Traefik

First blue box under 'TLS Options'

1 Like

Yes I saw that bit - but it doesn't actually define the default settings. Ah ok, the defaults are defined further down the page, within each section.

However the ones I'm using come from Mozilla's "intermediate" suite, which are rock solid (we've used them for years in nginx). So it's not a big issue.

I've used them in the past and it certainly did set the defaults, specifically I've used it to both restrict to TSL1.2 and TLS1.3 using PFS ciphers.

1 Like

Oh yeah! Mozilla's "intermediate" config (above) just gave me an "A" on SSL Labs.

(Might be interesting to also test and compare with traefik's default tls settings.)

Only problem is it also detects TRAEFIK DEFAULT CERT . Unsure how to disable that.

I'll work on that separately.

Spoiler, its not good. IIRC it gets a T or F

That is an artifact of how they test. You can use strict sni checking to deny it.

I tried the traefik default, and I got an A. How about that.

I enabled strict sni but the default cert is still served.

I added a feature request to the repo for an option to disable this behaviour. Anyone stumbling on this please upvote that issue if it matters to you.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.