Hi y'all!
I have a docker service behind traefik; due to its nature we're being pretty stingy with TLS, and so the minVersion
is set to VersionTLS12
, which obviously breaks every version of IE.
Since this service is sometimes used by people who still have IE on their computers - how may I redirect them to an appropriate error page (or whatever)? Because, if I just leave this as-is - the browser's default error message is pretty misleading:
It makes it look like the service is down, while in reality it is not.
Now: this is my config file:
[global]
checkNewVersion = false
[api]
dashboard = true
[log]
level = "DEBUG"
[accessLog]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/dynamic-config/"
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "redacted@redact.ed"
storage = "/etc/acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "http"
This is a file I load as a dynamic provider:
[tls.options]
[tls.options.default]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
]
[http.routers]
[http.routers.Router-1]
rule = "HostRegexp(`ch1test.spectra.io`, `{subdomain:.+}.ch1test.spectra.io`) && HeadersRegexp(`User-Agent`, `.*MSIE.*`)"
priority = 9000000
entryPoints = ["https"]
service = "my-service"
[http.services]
[http.services.my-service.loadBalancer]
[[http.services.my-service.loadBalancer.servers]]
url = "http://my.public.bucket.s3-eu-west-1.amazonaws.com/"
NOTES:
- These settings work if I only specify the "http" entrypoint. But it makes no sense for my usecase, as I only need to redirect the HTTPS requests from browsers which can not set up a connection.
- With the "https" entrypoint it doesn't redirect, because it probably tries to initialize SSL before trying to redirect the request. Which is why I'm posting here
- I know that S3 url won't work like that, I'll figure out a better service destination. It's a temp value.