Set TLS default option with .toml file

HI everyone,

I use latest traefik branch (2.02) in docker configuration.

This is my Traefik docker-compose :slight_smile:


version: "3"

networks:
  traefik:
    external: true

services:
   traefik:
     networks:
       - traefik
     image: traefik:latest
     ports:
       - 80:80
       - 443:443
     expose:
       - 8080
     restart: always
     volumes:
       - ./acme.json:/acme.json
       - ./traefik.toml:/traefik.toml
       - ./tmp:/tmp
       - /var/run/docker.sock:/var/run/docker.sock
     labels:
       - "traefik.http.routers.api.rule=Host(`mydomain.xyz`)"
       - "traefik.http.routers.api.entrypoints=web-secured"
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.tls"
       - "traefik.http.routers.api.middlewares=authTraefik"
       - "traefik.http.middlewares.authTraefik.basicauth.users=anonymous:$$2y$$05$$dsqdsdqsdsdqsdd/ih9OyKrhet10NcskB/Lj5BUFPU.O9BhEXAq"

Traefik.toml

[log]
  level = "INFO"

[providers.docker]
  network = "traefik"

[api]
  dashboard = true

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.web-secured]
    address = ":443"

[certificatesResolvers]
  [certificatesResolvers.default.acme]
    email = "toto.dds@ffsd.gt"
    storage = "acme.json"
    [certificatesResolvers.default.acme.tlsChallenge]

[tls]
  [tls.options]
    [tls.options.default]
       minVersion = "VersionTLS12"
       sniStrict = true
       cipherSuites = [
         "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
         "TLS_AES_128_GCM_SHA256",
         "TLS_AES_256_GCM_SHA384",
         "TLS_CHACHA20_POLY1305_SHA256",
      ]

Everythings works great, but my tls configutation isn't considered...

Still AES 128 and TLS 1.0 1.1 authorised.

Try this solution but KO :slight_smile:

what did I forget ? :slight_smile:

Hi @comassky,

First, prefers a specific version than a latest for the docker image.
Then, you can't mix static and dynamic configurations.

As tls.options is a dynamic configuration, you will have to use the File Provider with the following configuration in your traefik.toml file:

[providers.file]
  directory = "/my/path/to/"

Then you can add your tls.options configuration in the /my/path/to/dynamic-conf.toml file.

4 Likes

Thanks for answers ! :slight_smile:

But still not working for me :slight_smile:

tree :

├── acme.json
├── docker-compose.yml
├── tls
│   └── dynamic-conf.toml
└── traefik.toml

traefik.toml

[log]
  level = "DEBUG"

[providers.docker]
  network = "traefik"

[api]
  dashboard = true

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.web-secured]
    address = ":443"

[certificatesResolvers]
  [certificatesResolvers.default.acme]
    email = "toto.toto@gmail.com"
    storage = "acme.json"
    [certificatesResolvers.default.acme.tlsChallenge]

[providers.file]
  directory = "/tls/dynamic-conf.toml"

docker-compose.yml


version: "3"

networks:
  traefik:
    external: true

services:
   traefik:
     networks:
       - traefik
     image: traefik:v2.0.2
     container_name: Traefik
     ports:
       - 80:80
       - 443:443
     expose:
       - 8080
     restart: always
     volumes:
       - ./acme.json:/acme.json
       - ./traefik.toml:/traefik.toml
       - ./tls:/tls
       - /var/run/docker.sock:/var/run/docker.sock
     labels:
       - "traefik.http.routers.api.rule=Host(`toto.xyz`)"
       - "traefik.http.routers.api.entrypoints=web-secured"
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.tls"
       - "traefik.http.routers.api.middlewares=authTraefik"
       - "traefik.http.middlewares.authTraefik.basicauth.users=toto:$$2y$$05$$i4sdsm4gzH3sdqshzc3V64xB/ih9OyKrhet10NcskB/Lj5BUFPU.sdqsdsqdsds"

/tls/dynamic-conf.toml

[tls]
  [tls.options]
    [tls.options.default]
       minVersion = "VersionTLS12"
       sniStrict = true
       cipherSuites = [
         "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
         "TLS_AES_128_GCM_SHA256",
         "TLS_AES_256_GCM_SHA384",
         "TLS_CHACHA20_POLY1305_SHA256",
      ]

Could you try:

[providers.file]
  directory = "/tls/"

If it doesn't work, could you share the traefik log to see what is the configuration loaded ?

1 Like
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="Start TCP Server" entryPointName=web-secured
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="Start TCP Server" entryPointName=web
Traefik    | time="2019-10-28T13:27:23Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
Traefik    | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *file.Provider {\"directory\":\"/tls/\",\"watch\":true}"
Traefik    | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"network\":\"traefik\",\"swarmModeRefreshSeconds\":15000000000}"
Traefik    | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *acme.Provider {\"email\":\"dsdsds@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"tlsChallenge\":{},\"ResolverName\":\"default\",\"store\":{},\"ChallengeStore\":{}}"
Traefik    | time="2019-10-28T13:27:23Z" level=info msg="Testing certificate renew..." providerName=default.acme
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS12\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\",\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\"],\"clientAuth\":{},\"sniStrict\":true}}}}" providerName=file
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="Configuration received from provider default.acme: {\"http\":{},\"tls\":{}}" providerName=default.acme
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="No default certificate, generating one"
Traefik    | time="2019-10-28T13:27:23Z" level=debug msg="Provider connection established with docker 19.03.4 (API 1.40)" providerName=docker

But still :

image

Seems to be loaded, maybe i must add option=default to nginx docker compose labels ?

In fact, it works :slight_smile:

https://www.ssllabs.com/ssltest/analyze.html?d=hjacquot.xyz

TLS < 1.2 is KO :slight_smile:

But i can't use 256 key for TLS 1.3 ?

Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.

The new cipher suites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE).

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
[GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
Appendix B.4).

Ok thanks !

So no AES 256 or CHAHCA 256 for now ?

The old cipher suites will never be available for TLS1.3.

Currently, the specs (and Traefik) support: https://tools.ietf.org/html/rfc8446#appendix-B.4

Also the cipher suites for TLS1.3 are not configurable in Traefik: https://github.com/golang/go/issues/29349

Thanks for all your answers ! It works :wink:

SSLabs A note (cause cypher lenght).