Poor rating on ssl labs

jhmnieuwenhuis · October 16, 2019, 8:46am

Hy, i am starting to use traefik 2.0.
I got it working but the rating on ssllabs is only B
=> This server does not support Forward Secrecy with the reference browsers. Grade capped to B.
=> This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020.

Should i add some more configuration params ???

My configuration
Traefik compose file

 command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myhttpchallenge.acme.email=jhmnieuwenhuis@gmail.com"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"

Pgadmin4 compose file

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=mynetwork"
      # Set up redirect on insecure port to https 443 (using an arbitrary middleware name of `pgadmin4-redirect`)
      # `pgadmin4-web` is the router name for http to https redirection
      - "traefik.http.routers.pgadmin4-web.entrypoints=web"
      - "traefik.http.routers.pgadmin4-web.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.pgadmin4-web.middlewares=pgadmin4-redirect@docker"
      # Handle secure traffic (requires a separate frontend router for TLS)
      # `pgadmin4-websecure` is the router name for TLS connections
      - "traefik.http.routers.pgadmin4-websecure.entrypoints=websecure"
      - "traefik.http.routers.pgadmin4-websecure.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.routers.pgadmin4-websecure.tls=true"
      # Define which port to connect to the service on (backend)
      - "traefik.http.services.pgadmin4-service.loadbalancer.server.port=5050"

ldez · October 16, 2019, 9:02am

Hello,

Take a look here: https://docs.traefik.io/v2.0/https/tls/#tls-options

jhmnieuwenhuis · October 16, 2019, 9:34am

Thanks !!
But I am not sure what the syntax for the tls options should be in a swarm docker compose file.

bd8392 · December 8, 2019, 6:57am

Also would need the syntax of the swarm-compose file...

ldez · December 8, 2019, 12:52pm

Restriction

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by secrets.

bd8392 · December 10, 2019, 4:05am

Thanks =) I Managed it with docker config in Swarmpit =)

totti4ever · January 15, 2020, 5:09pm

woah!
just found the solution myself...:

As tls.options is a dynamic configuration, you will have to use the File Provider with the following configuration in your traefik.toml file:

I therefore put my tls config into a file dynamically loaded from the directory specified in the traefik.yaml

Original Post:
Hey there, I am having the same warnings and down ratings as OP, but thought, I had done everything right by having the foloowing in my traefik.yml:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict : true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Nevertheless, I figured out, that I had to set the certresolver manually in my docker labels, too - do I also have to put the tls options there a second time?! WOuld be surprised...my docker-compose.yml looks like this re/ the labels:

    labels:
      - traefik.enable=true
      - traefik.docker.network=internal

      - traefik.http.services.nextcloud-http.loadbalancer.server.port=80

      - traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.domain.tld`)
      - traefik.http.routers.nextcloud-https.entrypoints=https
      - traefik.http.routers.nextcloud-https.service=nextcloud-http
      - traefik.http.routers.nextcloud-https.tls=true
      - traefik.http.routers.nextcloud-https.tls.certresolver=le
      - traefik.http.routers.nextcloud-https.middlewares=headers-security-nc@file,nc-redirect-wellknown

What am I missing?!?
Thanks a lot in advance

Topic		Replies	Views
V2, TLS, Let's Encrypt and http --> https - SUCCESS! Traefik v2 (latest) docker	3	849	November 12, 2019
Yet another TLS issue :D Traefik v2 (latest) docker	5	641	January 29, 2020
Tls: no cipher suite supported by both client and server Traefik v2 (latest) docker	8	923	May 10, 2023
Traefik 2.5.2 TLS 1.0 1.1 disable Traefik v2 (latest) docker-swarm	3	2542	September 14, 2021
Unable to force VersionTLS12 Traefik v2 (latest) docker	3	979	January 29, 2020

Poor rating on ssl labs

Related Topics