Poor rating on ssl labs

Hy, i am starting to use traefik 2.0.
I got it working but the rating on ssllabs is only B
=> This server does not support Forward Secrecy with the reference browsers. Grade capped to B.
=> This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020.

Should i add some more configuration params ???

My configuration
Traefik compose file

      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myhttpchallenge.acme.email=jhmnieuwenhuis@gmail.com"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"

Pgadmin4 compose file

      - "traefik.enable=true"
      - "traefik.docker.network=mynetwork"
      # Set up redirect on insecure port to https 443 (using an arbitrary middleware name of `pgadmin4-redirect`)
      # `pgadmin4-web` is the router name for http to https redirection
      - "traefik.http.routers.pgadmin4-web.entrypoints=web"
      - "traefik.http.routers.pgadmin4-web.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.pgadmin4-web.middlewares=pgadmin4-redirect@docker"
      # Handle secure traffic (requires a separate frontend router for TLS)
      # `pgadmin4-websecure` is the router name for TLS connections
      - "traefik.http.routers.pgadmin4-websecure.entrypoints=websecure"
      - "traefik.http.routers.pgadmin4-websecure.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.routers.pgadmin4-websecure.tls=true"
      # Define which port to connect to the service on (backend)
      - "traefik.http.services.pgadmin4-service.loadbalancer.server.port=5050"


Take a look here: https://docs.traefik.io/v2.0/https/tls/#tls-options

Thanks !!
But I am not sure what the syntax for the tls options should be in a swarm docker compose file.

Also would need the syntax of the swarm-compose file...


In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by secrets.


Thanks =) I Managed it with docker config in Swarmpit =)

just found the solution myself...:

As tls.options is a dynamic configuration, you will have to use the File Provider with the following configuration in your traefik.toml file:

I therefore put my tls config into a file dynamically loaded from the directory specified in the traefik.yaml

Original Post:
Hey there, I am having the same warnings and down ratings as OP, but thought, I had done everything right by having the foloowing in my traefik.yml:

      minVersion: VersionTLS12
      sniStrict : true

Nevertheless, I figured out, that I had to set the certresolver manually in my docker labels, too - do I also have to put the tls options there a second time?! WOuld be surprised...my docker-compose.yml looks like this re/ the labels:

      - traefik.enable=true
      - traefik.docker.network=internal

      - traefik.http.services.nextcloud-http.loadbalancer.server.port=80

      - traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.domain.tld`)
      - traefik.http.routers.nextcloud-https.entrypoints=https
      - traefik.http.routers.nextcloud-https.service=nextcloud-http
      - traefik.http.routers.nextcloud-https.tls=true
      - traefik.http.routers.nextcloud-https.tls.certresolver=le
      - traefik.http.routers.nextcloud-https.middlewares=headers-security-nc@file,nc-redirect-wellknown

What am I missing?!?
Thanks a lot in advance :slight_smile: