Given this configuration:
docker-compose.yml
version: '3.8'
services:
traefik:
image: traefik:v2.3.1
container_name: "traefik"
restart: unless-stopped
networks:
- http_network
ports:
- "80:80"
- "443:443"
volumes:
- "./traefik.toml:/traefik.toml:ro"
- "./file.toml:/file.toml:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.docker.network=http_network"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.rule=Host(`traefik.home`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.options=default"
test1:
image: traefik/whoami:v1.6.0
container_name: test1
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=http_network"
- "traefik.http.routers.test1.entrypoints=websecure"
- "traefik.http.routers.test1.rule=Host(`test1.home`)"
- "traefik.http.routers.test1.tls=true"
# testing this line
- "traefik.http.routers.test1.tls.options=default"
networks:
- http_network
test2:
image: traefik/whoami:v1.6.0
container_name: test2
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=http_network"
- "traefik.http.routers.test2.entrypoints=websecure"
- "traefik.http.routers.test2.rule=Host(`test2.home`)"
- "traefik.http.routers.test2.tls=true"
# testing this line
- "traefik.http.routers.test2.tls.options=default@file"
networks:
- http_network
test3:
image: traefik/whoami:v1.6.0
container_name: test3
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=http_network"
- "traefik.http.routers.test3.entrypoints=websecure"
- "traefik.http.routers.test3.rule=Host(`test3.home`)"
- "traefik.http.routers.test3.tls=true"
# testing this line
- "traefik.http.routers.test3.tls.options=alternative"
networks:
- http_network
test4:
image: traefik/whoami:v1.6.0
container_name: test4
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=http_network"
- "traefik.http.routers.test4.entrypoints=websecure"
- "traefik.http.routers.test4.rule=Host(`test4.home`)"
- "traefik.http.routers.test4.tls=true"
# testing this line
- "traefik.http.routers.test4.tls.options=alternative@file"
networks:
- http_network
networks:
http_network:
external: true
file.toml
# Those are "better" TLS defaults
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
[tls.options.alternative]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
traefik.toml
## static configuration
[entryPoints.websecure]
address = ":443"
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
[providers.docker]
exposedByDefault=false
[providers.file]
filename = "/file.toml"
[log]
# Uncomment for debug log
level = "DEBUG"
# Uncomment for access log
#[accessLog]
# Comment out if dashboard is not needed
[api]
# Uncomment for insecure dashboard
#insecure = true
We have this log: https://gist.github.com/AndrewSav/e7e8f6c456d0fc991b9beaadc3735629
We create two tls options in file.toml
:
- default
- alternative
We are trying to reference these options from routers like this:
- "traefik.http.routers.test1.tls.options=default"
- "traefik.http.routers.test2.tls.options=default@file"
- "traefik.http.routers.test3.tls.options=alternative"
- "traefik.http.routers.test4.tls.options=alternative@file"
In the logs we get:
"unknown TLS options: alternative@docker" routerName=test3@docker entryPointName=websecure
"unknown TLS options: default@file" entryPointName=websecure routerName=test2@docker
It seems that @file
marker is required with alternative
but must NOT be specified with default
.
It appears that default
option is treated differently from the rest, but this is not mentioned anywhere in the documentation.
Can some one please clarify the intention here, how is this supposed to work and why?
An unrelated question, that we also get this line in the logs:
"Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
Is this {{ normalize .Name }}
suppose to end up in the log, it looks like a go template to me that was not processes as intended. Can someone clarify please?
I'm happy to raise issues on github if appropriate, just wanted to triage here first.