HI everyone,
I use latest traefik branch (2.02) in docker configuration.
This is my Traefik docker-compose
version: "3"
networks:
traefik:
external: true
services:
traefik:
networks:
- traefik
image: traefik:latest
ports:
- 80:80
- 443:443
expose:
- 8080
restart: always
volumes:
- ./acme.json:/acme.json
- ./traefik.toml:/traefik.toml
- ./tmp:/tmp
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.http.routers.api.rule=Host(`mydomain.xyz`)"
- "traefik.http.routers.api.entrypoints=web-secured"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.tls"
- "traefik.http.routers.api.middlewares=authTraefik"
- "traefik.http.middlewares.authTraefik.basicauth.users=anonymous:$$2y$$05$$dsqdsdqsdsdqsdd/ih9OyKrhet10NcskB/Lj5BUFPU.O9BhEXAq"
Traefik.toml
[log]
level = "INFO"
[providers.docker]
network = "traefik"
[api]
dashboard = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secured]
address = ":443"
[certificatesResolvers]
[certificatesResolvers.default.acme]
email = "toto.dds@ffsd.gt"
storage = "acme.json"
[certificatesResolvers.default.acme.tlsChallenge]
[tls]
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
]
Everythings works great, but my tls configutation isn't considered...
Still AES 128 and TLS 1.0 1.1 authorised.
Try this solution but KO
Hello, I am trying to get rid of some cipher suites but still, the server presents the default certificate and permits SSLv3 (+ other deprecated protocols) despite the config below: traefik.toml: [...] [http.middlewares] ...
Reading time: 1 mins 🕑
Likes: 3 ❤
what did I forget ?
jbd
October 28, 2019, 11:05am
2
Hi @comassky ,
First, prefers a specific version than a latest
for the docker image.
Then, you can't mix static and dynamic configurations.
As tls.options
is a dynamic configuration, you will have to use the File Provider with the following configuration in your traefik.toml file:
[providers.file]
directory = "/my/path/to/"
Then you can add your tls.options
configuration in the /my/path/to/dynamic-conf.toml
file.
4 Likes
Thanks for answers !
But still not working for me
tree :
├── acme.json
├── docker-compose.yml
├── tls
│ └── dynamic-conf.toml
└── traefik.toml
traefik.toml
[log]
level = "DEBUG"
[providers.docker]
network = "traefik"
[api]
dashboard = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secured]
address = ":443"
[certificatesResolvers]
[certificatesResolvers.default.acme]
email = "toto.toto@gmail.com"
storage = "acme.json"
[certificatesResolvers.default.acme.tlsChallenge]
[providers.file]
directory = "/tls/dynamic-conf.toml"
docker-compose.yml
version: "3"
networks:
traefik:
external: true
services:
traefik:
networks:
- traefik
image: traefik:v2.0.2
container_name: Traefik
ports:
- 80:80
- 443:443
expose:
- 8080
restart: always
volumes:
- ./acme.json:/acme.json
- ./traefik.toml:/traefik.toml
- ./tls:/tls
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.http.routers.api.rule=Host(`toto.xyz`)"
- "traefik.http.routers.api.entrypoints=web-secured"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.tls"
- "traefik.http.routers.api.middlewares=authTraefik"
- "traefik.http.middlewares.authTraefik.basicauth.users=toto:$$2y$$05$$i4sdsm4gzH3sdqshzc3V64xB/ih9OyKrhet10NcskB/Lj5BUFPU.sdqsdsqdsds"
/tls/dynamic-conf.toml
[tls]
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
]
jbd
October 28, 2019, 1:25pm
4
Could you try:
[providers.file]
directory = "/tls/"
If it doesn't work, could you share the traefik log to see what is the configuration loaded ?
1 Like
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="Start TCP Server" entryPointName=web-secured
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="Start TCP Server" entryPointName=web
Traefik | time="2019-10-28T13:27:23Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
Traefik | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *file.Provider {\"directory\":\"/tls/\",\"watch\":true}"
Traefik | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"network\":\"traefik\",\"swarmModeRefreshSeconds\":15000000000}"
Traefik | time="2019-10-28T13:27:23Z" level=info msg="Starting provider *acme.Provider {\"email\":\"dsdsds@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"tlsChallenge\":{},\"ResolverName\":\"default\",\"store\":{},\"ChallengeStore\":{}}"
Traefik | time="2019-10-28T13:27:23Z" level=info msg="Testing certificate renew..." providerName=default.acme
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS12\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\",\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\"],\"clientAuth\":{},\"sniStrict\":true}}}}" providerName=file
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="Configuration received from provider default.acme: {\"http\":{},\"tls\":{}}" providerName=default.acme
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="No default certificate, generating one"
Traefik | time="2019-10-28T13:27:23Z" level=debug msg="Provider connection established with docker 19.03.4 (API 1.40)" providerName=docker
But still :
Seems to be loaded, maybe i must add option=default to nginx docker compose labels ?
In fact, it works
https://www.ssllabs.com/ssltest/analyze.html?d=hjacquot.xyz
TLS < 1.2 is KO
But i can't use 256 key for TLS 1.3 ?
ldez
October 28, 2019, 1:40pm
7
Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.
The new cipher suites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE).
A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
[GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
Appendix B.4).
This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This...
Ok thanks !
So no AES 256 or CHAHCA 256 for now ?
ldez
October 28, 2019, 1:49pm
9
The old cipher suites will never be available for TLS1.3.
Currently, the specs (and Traefik) support: https://tools.ietf.org/html/rfc8446#appendix-B.4
Also the cipher suites for TLS1.3 are not configurable in Traefik: https://github.com/golang/go/issues/29349
Thanks for all your answers ! It works
SSLabs A note (cause cypher lenght).