Sure, thanks for your help!
Compose:
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- "80:80"
- "443:443"
environment:
- "INFOMANIAK_ACCESS_TOKEN=${INFOMANIAK_ACCESS_TOKEN}"
- "INFOMANIAK_TTL=300"
- "INFOMANIAK_PROPAGATION_TIMEOUT=300"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/etc/localtime:/etc/localtime:ro"
- "./data/traefik.yml:/traefik.yml:ro"
- "./data/acme.json:/acme.json"
- "./data/acme-le.json:/acme-le.json"
- "./data/config.yml:/config.yml"
- "/var/log/traefik/:/log/"
labels:
# Default labels, no changes needed
- "traefik.docker.network=proxy" # Set Traefik network
- "traefik.enable=true" # Enable Traefik on this Docker Container
- "traefik.http.routers.${TRAEFIK_SERVICE}.entrypoints=https" # Set entrypoint to HTTPS
- "traefik.http.routers.${TRAEFIK_SERVICE}.tls=true" # Enable TLS, we're on HTTPS
# These labels can or should be changed, service name label is missing due to special one for traefik
- "traefik.http.routers.${TRAEFIK_SERVICE}.middlewares=traefikAuth@file,default@file,internal-access@file" # Set enabled middlewares provided trough dynamic configuration
- "traefik.http.routers.${TRAEFIK_SERVICE}.rule=Host(`${TRAEFIK_SUBSUBDOMAIN}.${TRAEFIK_SUBDOMAIN}.${TRAEFIK_DOMAIN}`)" # Set FQDN(s) of website
- "traefik.http.routers.${TRAEFIK_SERVICE}.tls.options=modern@file" # Set enabled TLS options provided trough dynamic configuration
- "traefik.http.services.${TRAEFIK_SERVICE}.loadbalancer.server.port=80" # Set loadbalancing Port and corresponding Service name
# Specific Traefik container labels, do not copy to other containers
- "traefik.http.routers.${TRAEFIK_SERVICE}.service=api@internal" # Special service name for traefik
- "traefik.http.routers.${TRAEFIK_SERVICE}.tls.certresolver=infomaniak" # We're using Infomaniak as a cert authority
- "traefik.http.routers.${TRAEFIK_SERVICE}.tls.domains[1].main=local.domain.ch" # Set local.domain.ch main cert
- "traefik.http.routers.${TRAEFIK_SERVICE}.tls.domains[1].sans=*.local.domain.ch" # Set local.domain.ch sans cert(s)
networks:
proxy:
external: true
traefik.yml:
# Traefik static configuration file (/etc/traefik/traefik.yml)
# See https://doc.traefik.io/traefik/getting-started/configuration-overview/#the-static-configuration
# and https://doc.traefik.io/traefik/reference/static-configuration/cli/
api:
dashboard: true # Enable the dashboard
debug: true
# Certificate Resolvers are responsible for retrieving certificates from an ACME server
# See https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
certificatesResolvers:
infomaniak:
acme:
email: support@domain.ch
storage: acme.json
dnsChallenge:
provider: infomaniak # Change provider and resolvers accordingly
resolvers:
- "1.1.1.1"
- "9.9.9.9"
entryPoints:
http:
address: ":80" # Create the HTTP entrypoint on port 80
http:
redirections: # HTTPS redirection (80 to 443)
entryPoint:
to: "https" # The target element
scheme: "https" # The redirection target scheme
permanent: true # Set permanent redirect, Code 301
https:
address: ":443" # Create the HTTPS entrypoint on port 443
http:
serversTransport:
insecureSkipVerify: true
global:
checknewversion: true # Periodically check if a new version has been released.
sendanonymoususage: true # Periodically send anonymous usage statistics.
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket
exposedByDefault: false # Only expose container that are explicitly enabled (using label traefik.enabled)
network: "proxy" # Default network to use for connections to all containers.
file:
filename: "/config.yml" # Link to the dynamic configuration
watch: true # Watch for modifications
providersThrottleDuration: 10 # Configuration reload frequency
accessLog: # Enable Accesslog, mount in /var/log
filePath: "/log/access.log" # Set path in Docker container
log: # This log concerns general Traefik
level: DEBUG # Set loglevel, see: https://doc.traefik.io/traefik/master/observability/logs/#configuration
filePath: "/log/traefik.log" # Set path in Docker container
Dynamic Config:
# Traefik dynamic configuration file
# See https://doc.traefik.io/traefik/getting-started/configuration-overview/#the-dynamic-configuration
http:
# Only use routers in dynamtic configuration file for external services.
# Examples are: Non-docker services, Proxmox, TrueNAS, switches, routers, firewalls, external websites...
routers:
# The following routers are used as a Reverse Proxy.
rt-sw01:
entryPoints:
- "https"
rule: "Host(`sw01.local.domain.ch`)"
middlewares:
- default
tls: {} # Use "tls: {}" when using wildcard certs
service: sw01
middlewares:
# A basic authentification middleware, to protect the Traefik dashboard to anyone except myself
# Use with traefik.http.routers.myRouter.middlewares: "traefikAuth@file"
traefikAuth:
basicAuth:
users:
- "admin:password" # Use $$ for docker-compose, use $ for .yaml or .toml
# Recommended default middleware for most of the services
# Use with traefik.http.routers.myRouter.middlewares: "default@file"
# Equivalent of traefik.http.routers.myRouter.middlewares: "default-security-headers@file,error-pages@file,gzip@file"
default:
chain:
middlewares:
- default-security-headers
- gzip
# Add automatically some security headers
# Use with traefik.http.routers.myRouter.middlewares: "default-security-headers@file"
default-security-headers:
headers:
browserXssFilter: true # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=allow
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 63072000 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
# Enables the GZIP compression (https://docs.traefik.io/middlewares/compress/)
# if the response body is larger than 1400 bytes
# if the Accept-Encoding request header contains gzip
# if the response is not already compressed (Content-Encoding is not set)
# Use with traefik.http.routers.myRouter.middlewares: "gzip@file"
gzip:
compress: {}
# Use IP-Whitelists to restrict access from the Internet
# Use with traefik.http.routers.myRouter.middlewares: "internal-access@file"
internal-access:
ipWhiteList:
sourceRange:
# - "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
services:
# Use in combination with example router for external services
sw01:
loadBalancer:
servers:
- url: "https://172.31.100.240"
passHostHeader: true
# See https://doc.traefik.io/traefik/https/tls/
tls:
options:
# To use with the label "traefik.http.routers.myrouter.tls.options=modern@file"
modern:
minVersion: "VersionTLS13" # Minimum TLS Version
sniStrict: true # Strict SNI Checking
# To use with the label "traefik.http.routers.myrouter.tls.options=intermediate@file"
intermediate:
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
minVersion: "VersionTLS12" # Minimum TLS Version
sniStrict: true # Strict SNI Checking
# To use with the label "traefik.http.routers.myrouter.tls.options=old@file"
old:
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
- "TLS_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_RSA_WITH_AES_128_CBC_SHA256"
- "TLS_RSA_WITH_AES_128_CBC_SHA"
- "TLS_RSA_WITH_AES_256_CBC_SHA"
- "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
minVersion: "TLSv1" # Minimum TLS Version
sniStrict: true # Strict SNI Checking
# Generated 2021-08-12, Mozilla Guideline v5.6, Traefik 2.4.8
# https://ssl-config.mozilla.org/#server=traefik&version=2.4.8&config=old&guideline=5.6
# https://ssl-config.mozilla.org/#server=traefik&version=2.4.8&config=intermediate&guideline=5.6
My Problem is the service "sw01" , which gives me the internal error.
When i use http instead of https for the same url, it works without any problem. Same goes for external devices which support HTTPS with TLS, instead of SSL. Those work with https, so i'm guessing it has something to do with SSL.
The Traefik Dashboard does not report any problems, everything is green. But in the logfile i can see an error:
time="2023-07-06T09:43:20Z" level=debug msg="'500 Internal Server Error' caused by: tls: server selected unsupported protocol version 301"
Hope this helps and thanks again for your time!