Is traefik able to do the same nginx tls.1.2 bypassing?

Traefik Traefik v2 (latest)
,
1

Hey there. I own an very old e-ink ebook reader (Tolino Shine 1). Its running an Android 2.3.4 gingerbread os. This os is not able anymore to handle tls 1.3.

I need a site called onleihe.de accessable on this device to use it anymore. Otherwise I need to throw it away.

With some hacking, I was able to add a custom dns on this device. So I setup a dnsmask with redirect for "onleihe.de" to my custom nginx with the following:

server {
  server_name onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}

server {
  server_name www5.onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://www5.onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}


server {
  server_name acs4.onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://acs4.onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}

server {
  server_name acs6.onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://acs6.onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}

server {
  server_name static.onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://static.onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}

server {
  server_name dp1.onleihe.de;
  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;

  resolver 10.0.0.1;

  location / {
    proxy_pass $scheme://dp1.onleihe.de;
    proxy_redirect https://acs4.onleihe.de/fulfillment/URLLink.acsm http://acs4.onleihe.de/fulfillment/URLLink.acsm;
  }

}

This nginx config is working almost. But sometimes it is not able to resolve a domain and I need to restart my nginx to let it work again. Another problem is that I run already something on 443 and 80 on my docker-server (debian) at home. So I thought traefik would be a good idea but I had no clue how to add tcp-option for specific router configs.
Here is my traefik-config:

http:
  routers:
    http-www5.onleihe.de:
      entryPoints:
        - "web"
      rule: "Host(`www5.onleihe.de`)"
      service: "http-www5.onleihe.de"
    https-www5.onleihe.de:
      entryPoints:
        - "websecure"
      rule: "Host(`www5.onleihe.de`)"
      service: "https-www5.onleihe.de"
      tls:
        options: tolino
  services:
    http-www5.onleihe.de:
      loadBalancer:
        servers:
          - url: "http://www5.onleihe.de"
    https-www5.onleihe.de:
      loadBalancer:
        servers:
          - url: "https://www5.onleihe.de"

tls:
  options:
    tolino:
      alpnProtocols:
        - http/1.1
      minVersion: VersionTLS12
      maxVersion: VersionTLS12
      cipherSuites:
        - TLS_RSA_WITH_AES_128_CBC_SHA

here is the error log I got:

http: TLS handshake error from 192.168.65.1:36370: tls: no cipher suite supported by both client and server

I hope I can get some answers here for that special problem.

Thank you all. I see that this community is very active!

Greetings by
Its_TaRaefik

2

I am not sure this can work. You want a TLS 1.2 connection between the device and Traefik and TLS 1.3 between Traefik and the target service?

I would assume you can only fix the TLS version when you have the private key for an independent connection, which you don’t. And I don’t think you can create a LetsEncrypt TLS cert for the domain someone else owns.

3

THX for reply. But it worked 100% with the above nginx config. So I thought traefik is able to do the same.

4

Is here anybody who can help me a bit? I thought the community should have the best answer to this :frowning:

Would be really cool.

5

Try enabling maximum TLS version (doc), save that to a dynamic config file, load in static config with providers.file.