Hi,
i’m trying to figure what is wrong.
i am facing an issue : even with CBC ciphers disabled, they are exposed :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360 bits RSA) FS WEAK |
128 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360 bits RSA) FS WEAK |
256 |
here is my traefik config :
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
curvePreferences:
- X25519MLKEM768
- X25519M
- CurveP521
- CurveP384
sniStrict: true
preferServerCipherSuites: true
http:
middlewares:
HSTS:
headers:
stsSeconds: 15752000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
1 Like
That's your Traefik dynamic config, where is your static config, like providers?
Hi,
my providers are docker and file.
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
file:
filename: "/etc/traefik/rules.yaml"
watch: true
Are your snippets from first post in rules.yml?
Share your full Traefik static and dynamic config, and Docker compose file(s) if used.
traefik.yaml
api:
insecure: true
dashboard: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false*
watch: true
file:
filename: "/etc/traefik/rules.yaml"
watch: true
entrypoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
http2:
maxConcurrentStreams: 250
http3:
advertisedPort: 443
certificatesResolvers:
letsencrypt:
acme:
email: *****@*****.*****
storage: /acme.json
tlsChallenge: {}
letsencrypt-dns:
acme:
email: *****@*****.*****
storage: /acme-dns.json
dnsChallenge:
provider: ovh
serversTransport:
insecureSkipVerify: true
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
curvePreferences:
- X25519MLKEM768
- X25519M
- X25519
- CurveP521
- CurveP384
sniStrict: true
preferServerCipherSuites: true
rules.yaml
http:
routers:
dashboard:
rule: "Host(`traefik.domain.org`)"
service: api@internal
middlewares: HSTS,ip-limited
tls:
certResolver: letsencrypt
homeassistant:
entrypoints:
- "websecure"
rule: "Host(`maison.domain.org`)"
service: homeassistant
middlewares: HSTS
tls:
certResolver: letsencrypt
entrypoints:
- "websecure"
rule: "Host(`unifi.domain.org`)"
service: unifi
middlewares: HSTS,ip-limited,security-basics
tls:
certResolver: letsencrypt
nas:
entrypoints:
- "websecure"
rule: "Host(`nas.domain.org`)"
service: nas
middlewares: HSTS,ip-limited,security-basics
tls:
certResolver: letsencrypt-dns
webmin:
entrypoints:
- "websecure"
rule: "Host(`webmin.domain.org`)"
service: webmin
middlewares: HSTS,ip-limited,security-basics
tls:
certResolver: letsencrypt-dns
# Services definition
services:
homeassistant:
loadBalancer:
healthCheck:
path: /
interval: 30s
timeout: 10s
servers:
- url: "http://192.168.1.38:8123/"
unifi:
loadBalancer:
healthCheck:
path: /
interval: 30s
timeout: 10s
servers:
- url: "https://192.168.1.38:8443/"
nas:
loadBalancer:
healthCheck:
path: /
interval: 30s
timeout: 10s
servers:
- url: "http://192.168.1.253:5000"
webmin:
loadBalancer:
healthCheck:
path: /
interval: 30s
timeout: 10s
servers:
- url: "https://192.168.1.38:10000"
# Middlewares definition
middlewares:
limit:
buffering:
maxRequestBodyBytes: 20000000
ip-limited:
ipWhiteList:
sourceRange:
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.1
HSTS:
headers:
stsSeconds: 15752000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
security-basics:
headers:
browserXssFilter: true
frameDeny: true
sslRedirect: true
contentTypeNosniff: true
accessControlAllowMethods: [ "GET", "POST", "PUT" ]
# accessControlAllowOriginList: [ "https://web1.mydomain", "https://web2.mydomain", "https://web3.mydomain" ]
accessControlMaxAge: 100
addVaryheader: true
contentSecurityPolicy: "script-src 'self'"
referrerPolicy: "origin-when-cross-origin"
tls is a dynamic config root element (doc), so it needs to go into the other file.
1 Like
tls section in rules.yaml ?!
in which section ?
i have added the tls settings to homeassistant :
2025-08-12T13:18:57+02:00 ERR Error occurred during watcher callback error="invalid node options: string" providerName=file
ok, got the way to add it.
dealing with curve not found despite the documentation…
ERR Error during the build of the default TLS configuration error="building TLS config: invalid CurveID in curvePreferences: X25519M"
@bluepuma77 you are awesome !
DanG
11
Can you clarify what/where you had to add? dealing with the same problem with the CBCs ciphers showing up. Thanks!
