Is it possible to add multiple TLS options to a particular route?

kevdog · October 20, 2021, 5:42pm

Hi I've defined the following within my dynamic config file:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern:
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      clientAuth:
        clientAuthType: RequireAnyClientCert

What I would like to do is combine the modern and syncthing-discosrv options within a docker provider definition like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.tls.options=modern@file,syncthing-discosrv@file"

I'm getting an error when trying to combine the options as such. Is this not an option or do I need just to duplicate the modern options within my defined sycthing-discosrv label so it more like this:

    syncthing-discosrv:
      minVersion: VersionTLS13
      sniStrict: true
      clientAuth:
        clientAuthType: RequireAnyClientCert

cakiwi · October 21, 2021, 12:24pm

Yup. You can only select one TLS options.

kevdog · October 21, 2021, 2:12pm

@cakiwi

Thanks for reply -- I guess that clarifies some things. It would be nice to be able to combine some options to decrease verbosity however I'm not exactly sure how traefik is written and developed. I would be nice to pass an array or array of objects rather than just an object.

Thanks for clarification.

cakiwi · October 21, 2021, 2:30pm

It's defined in yaml, so you can use yaml tricks to define and resue blocks.

kevdog · October 21, 2021, 3:01pm

Dang -- I didn't even know about the anchor/merge feature of yaml. Do you know of a good yaml configuration check or a program that will take the yaml file and expand upon all the anchors and merges to check the configuration?

cakiwi · October 21, 2021, 3:24pm

I often use yq.

tls.yaml

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate: &int
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern: &modern
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      <<: *modern
      clientAuth:
        clientAuthType: RequireAnyClientCert

yq -y . tls.yaml 
tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern:
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      minVersion: VersionTLS13
      sniStrict: true
      clientAuth:
        clientAuthType: RequireAnyClientCert

kevdog · October 21, 2021, 3:55pm

I'm wondering if I'm using the same yq executable as yours since:

yq -y . dynamic_conf.yaml
Error: unknown command "dynamic_conf.yaml" for "yq"
Run 'yq --help' for usage.

In fact I don't even see -y as a flag for yq.

$ yq -V
yq (https://github.com/mikefarah/yq/) version 4.13.5

I clearly don't know how to use yq to expand merge statements but I did run across bosh Installing the CLI - Cloud Foundry BOSH (bosh interpolate) that will actually expand the merge statements for verification.

cakiwi · October 21, 2021, 7:37pm

I guess not: GitHub - kislyuk/yq: Command-line YAML, XML, TOML processor - jq wrapper for YAML/XML/TOML documents

Topic		Replies	Views
Unknown TLS options when trying to start container. Really confused why Traefik v3 (latest) docker	1	299	June 18, 2024
Traefik docker config for tls options Traefik v2 docker , file	17	9915	February 16, 2021
Unable to force VersionTLS12 Traefik v2 docker	3	1153	January 29, 2020
Common TLS config for all services Traefik v2 docker	12	766	June 13, 2023
Reliably set TLS options with the docker provider Traefik v2 docker	1	1440	April 3, 2022

Is it possible to add multiple TLS options to a particular route?

Related topics