Traefik 2.5.2 TLS 1.0 1.1 disable

SkazochnikZlodey · September 14, 2021, 8:29am

Hello All.
Trying to disable tls 1.0 and 1.2 in docker swarm but without success, maybe i doing something wrong. If someone have time please help me.

traefik.yml:

## STATIC CONFIGURATION
log:
  level: DEBUG
  filepath: /var/log/traefik.log

#accessLog:
#  filePath: /var/log/traefik_access.log

ping: {}

api:
  debug: true
  insecure: true
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

  metrics:
    address: ":8082"



providers:
  docker:
    swarmmode: true
    swarmModeRefreshSeconds: 30
    network: traefiknet
    watch: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    watch: true
    directory: "/etc/traefik/conf"
#    debugloggeneratedtemplate: true

certificatesResolvers:
  le:
    acme:
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: infodemo@tsuite9z.com
      storage: /etc/traefik/acme/acme.json
      tlsChallenge: true
#      httpChallenge: true
      httpChallenge:
        entryPoint: web
#      dnsChallenge:
#        provider: cloudflare
#        resolvers:
#          - "1.1.1.1:53"
#          - "8.8.8.8:53"

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
#        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256         
      curvePreferences:
        - secp521r1
        - secp384r1
      sniStrict: true

metrics:
  prometheus:
    entryPoint: metrics
    addEntryPointsLabels: true
    addServicesLabels: true
#    addRoutersLabels: true
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0

docker-compose.yml:

version: "3.4"
services:
  proxy:
    image: traefik:2.5.2
#    image: traefik:2.4.14
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /external/efs/services/traefik/acme/acme.json:/etc/traefik/acme/acme.json
      - /external/efs/services/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
#      - /external/efs/services/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
      - /external/efs/services/traefik/log:/var/log/
      - /external/efs/services/traefik/conf:/etc/traefik/conf
#    labels:
#      - traefik.enable=true
#      - traefik.docker.lbswarm=true
#      - traefik.docker.network=traefiknet
#      - traefik.http.routers.proxy_dev.rule=Host(`proxy-demo.tsuite9z.com`)
#      - traefik.http.routers.proxy_dev.tls=true
#      - traefik.http.routers.proxy_dev.tls.certresolver=le
#      - traefik.http.routers.proxy_dev.entrypoints=web,websecure
#      - traefik.http.routers.proxy_dev.service=proxy_dev
#      - traefik.http.services.proxy_dev.loadbalancer.server.port=8080
#      - traefik.http.services.proxy_dev.loadbalancer.server.scheme=http
#      - traefik.http.services.proxy_dev.loadbalancer.passhostheader=true
#      - traefik.http.services.proxy_dev.loadbalancer.sticky=true
#      - traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)
#      - traefik.http.routers.http_catchall.entrypoints=web
#      - traefik.http.routers.http_catchall.middlewares=https_redirect
#      - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
#      - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
    networks:
      - traefiknet
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: '5'

    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - target: 8080
        published: 8080
        mode: host
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: any
################


networks:

  traefiknet:
    driver: overlay
    attachable: true
    external: true

docker file with service:

version: "3.4"
services:
  phpmyadmin:
    image: phpmyadmin/phpmyadmin
    hostname: "pma"
    deploy:
#      placement:
#        constraints:
#          - "node.role==manager"
      resources:
        limits:
          memory: 512M
#        reservations:
#          cpus: '0.25'
#          memory: 20M
      replicas: 1
      restart_policy:
        condition: any
        delay: 5s
      update_config:
        parallelism: 1
        delay: 10s
        failure_action: rollback
        monitor: 60s
#        max_failure_ratio: 0.3
        order: start-first
      labels:
        - traefik.enable=true
        - traefik.docker.lbswarm=true
        - traefik.docker.network=traefiknet
        - traefik.http.routers.demo-pma.rule=Host(`pma-demo.special.com`)
        - traefik.http.routers.demo-pma.tls=true
        - traefik.http.routers.demo-pma.tls.certresolver=le
        - traefik.http.routers.demo-pma.entrypoints=websecure
        - traefik.http.routers.demo-pma.middlewares=demo-pma_auth@docker,demo-pma@docker,demo-pma_whitelist@docker
#        - traefik.http.routers.demo-merchant.entrypoints=web
        - traefik.http.routers.demo-pma.service=demo-pma
        - traefik.http.services.demo-pma.loadbalancer.server.port=80
        - traefik.http.services.demo-pma.loadbalancer.server.scheme=http
        - traefik.http.services.demo-pma.loadbalancer.passhostheader=true
        - traefik.http.services.demo-pma.loadbalancer.sticky=true
        - "traefik.http.middlewares.demo-pma.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
        - "traefik.http.middlewares.demo-pma.headers.accesscontrolalloworiginlist=*"
        - "traefik.http.middlewares.demo-pma.headers.accesscontrolmaxage=100"
        - "traefik.http.middlewares.demo-pma.headers.addvaryheader=true"
        - "traefik.http.middlewares.demo-pma_auth.basicauth.users=admin:{SHA}B20+bEufZUtbIguQRbdFira0y8Y=" # P@ssw0rd!
        - "traefik.http.middlewares.demo-pma_whitelist.ipwhitelist.sourcerange=127.0.0.1, 10.255.0.0/16, 10.254.0.0/16, 10.253.0.0/16, 10.100.0.0/16, 172.31.0.0/16, 94.154.212.15/32"
#        - "traefik.http.middlewares.demo-pma_whitelist.ipwhitelist.ipStrategy=true"
#        - "traefik.http.middlewares.demo-pma_whitelist.ipwhitelist.ipStrategy.depth=3"
        - "traefik.http.middlewares.demo-pma.headers.forcestsheader=true"
        - "traefik.http.middlewares.demo-pma.headers.sslRedirect=true"
        - "traefik.http.middlewares.demo-pma.headers.STSPreload=true"
        - "traefik.http.middlewares.demo-pma.headers.ContentTypeNosniff=true"
        - "traefik.http.middlewares.demo-pma.headers.BrowserXssFilter=true"
        - "traefik.http.middlewares.demo-pma.headers.STSIncludeSubdomains=true"
        - "traefik.http.middlewares.demo-pma.headers.STSSeconds=315360000"

    environment:
      PMA_HOST: db
      PMA_PORT: 3306
      PMA_ARBITRARY: 1
      PMA_VERBOSE: db
    networks:
      traefiknet:
        aliases:
          - pma
      dbnet:
        aliases:
          - pma

    logging:
      driver: "json-file"
      options:
        max-size: '12m'
        max-file: '5'

cakiwi · September 14, 2021, 11:57am

TLS Options can be set with a file provider or Kubernetes.

Right now you have it in your Static Configuration(traefik.yml). You will need to create a file provider and put the TLS Options in there.

SkazochnikZlodey · September 14, 2021, 12:53pm

Hello Cakiwi.

Thanks for information.
It working.
Here is some information who will search for solution:

in docker-compose.yml:

    volumes:
      - /external/efs/services/traefik/conf:/etc/traefik/conf

so need file on host in docker swarm in folder: /external/efs/services/traefik/conf
as example:
default.yml

http:
 middlewares:
   docker-redirect:
     redirectScheme:
       scheme: https
   docker-ipwhitelist:
     ipWhiteList:
       sourceRange:
         - "127.0.0.1/32"
         - "0.0.0.0/0"	# any

tls:
 options:
   default:
     minVersion: VersionTLS12
     cipherSuites:
#        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
       - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
       - TLS_AES_256_GCM_SHA384
       - TLS_CHACHA20_POLY1305_SHA256
     curvePreferences:
       - secp521
       - secp384
     sniStrict: true

system · September 17, 2021, 12:53pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Yet another TLS issue :D Traefik v2 docker	5	714	January 29, 2020
Cannot enable swarmMode Traefik v2 docker-swarm	4	501	March 7, 2024
Traefik on docker swarm simple setup Traefik v2 docker-swarm	0	1310	January 3, 2022
Repetitive logs for docker provider - Traefik + Swarm Traefik v2 docker-swarm	4	1198	June 28, 2021
Issues with the Docker Provider Traefik v2 docker , docker-swarm , file	3	165	May 20, 2024

Traefik 2.5.2 TLS 1.0 1.1 disable

Related topics