I have been doing some research on how to disable tls v1.0 and v1.1 on Traefik. I found the configuration in the dynamic file, but how would I translate this to docker compose file? Or even better, what command would I run to disable it globally?
I searched the docker reference file, and could not find the option:
From the documentation it looks only to be in the file, kubenetes-crd and KV providers.
The dynamic file, which doesn't really help me much I don't believe as the docker labels act as the dynamic labels.
Not for TLS options.
If you are not setting default TLS options then you can use the - "traefik.tcp.routers.tcprouter1.tls.options=foobar" to specify which options to use. But no, they cannot actually be defined in docker labels.
So where do I define them? I see you can define them in a dynamic config file. I have the following defined, but I get an error stating: unknown TLS options: modern-2020@docker
-- Traefik docker-compose.yml
services:
traefik:
container_name: traefik
image: 'traefik:v2.2.11'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- '$PWD/acme.json:/acme.json'
- '$PWD/traefik_tls.yml:/configs/traefik_tls.yml'
- 'trafficlog:/var/log'
ports:
- '80:80'
- '443:443'
networks:
- FrontEnd
command:
- "--api.dashboard=true"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/access.log"
- "--accesslog.bufferingsize=10"
- "--providers.docker=true"
- "--providers.docker.network=FrontEnd"
- "--providers.docker.exposedbydefault=false"
- "--providers.file.directory=/configs/"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=none@none.com"
- "--certificatesresolvers.letsencrypt.acme.storage=acme.json"
- "--serverstransport.insecureskipverify=true"
-- traefik_tls.yml
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
modern-2020:
minVersion: VersionTLS13
-- containers docker-compose.yml
labels:
- "traefik.enable=true"
- "traefik.http.routers.x-web.rule=Host(`beta.x.net`)"
- "traefik.http.routers.x-web.entrypoints=web"
- "traefik.http.routers.x-web.middlewares=https-redirect"
- "traefik.http.routers.x-tls.rule=Host(`beta.x.net`)"
- "traefik.http.routers.x-tls.entrypoints=websecure"
- "traefik.http.routers.x-tls.tls.certresolver=letsencrypt"
- "traefik.http.routers.x-tls.tls.options=modern-2020"
- "traefik.http.routers.x-tls.middlewares=outside-whitelist"
Try modern-2020@file
It's been a little while since I tried this.
That worked! Thanks.
Just wanted to link these two topics together as they are related. Posted this question but then found the other:
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.