Traefik docker config for tls options

Hi all. I’ve been working out my configuration with docker compose and I can set everything in the compose file EXCEPT tls options, specifically ciphers. Seems arbitrary to leave that configuration out. I’m not super familiar with the code base or history so it might already be in the works. Does anyone know why that can’t be set with a flag?

You'll have to set that in a dynamic file provider.
https://docs.traefik.io/https/tls/#tls-options

Here is an example setting the default TLS option and a TLS1.3 only option set that you can reference with the traefik.routers.foo.tls.options=modern-2020

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern-2020:
      minVersion: VersionTLS13
1 Like

Took me a while to figure that out.

Do you know if there is a plan to add those options to the dynamic docker commands?

No Idea, I'm just a user.

I see in the provider reference that KV and Kube providers have options for setting tls options though.

That’s cool. Thanks for the tip. I wish I would have asked earlier. The docs are pretty good but seem to be missing a little organization or code examples. Not sure which.

I might try to do a pull request

It appears there has already been an issue flagged for this very thing!

1 Like

@merid14 Did you get this to successfully work? Using the dynamic config file then pull it from the dynamic docker configuration?

Yes! I had to create a file with just the options above and then in the docker compose specify that file as a configuration file.

Would you be so kind to post what that looked like? I have been trying to do the same but just can't seem to get it to work.

Would you be so kind to post what that looked like?

You can find it above.

I have been trying to do the same but just can't seem to get it to work.

Post your configs, what you are expecting to see, what you are seeing instead, debug logs, and see if some one is able to spot, what's wrong.

Here is what I have. I get the error unknown TLS options: modern-2020@docker

-- Traefik docker-compose.yml

services:
  traefik:
    container_name: traefik
    image: 'traefik:v2.2.11'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
      - '$PWD/acme.json:/acme.json'
      - '$PWD/traefik_tls.yml:/configs/traefik_tls.yml'
      - 'trafficlog:/var/log'

    ports:
      - '80:80'
      - '443:443'

    networks:
      - FrontEnd

    command:
      - "--api.dashboard=true"

      - "--accesslog=true"
      - "--accesslog.filepath=/var/log/access.log"
      - "--accesslog.bufferingsize=10"

      - "--providers.docker=true"
      - "--providers.docker.network=FrontEnd"
      - "--providers.docker.exposedbydefault=false"

      - "--providers.file.directory=/configs/"

      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"

      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.email=none@none.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=acme.json"

      - "--serverstransport.insecureskipverify=true"

-- traefik_tls.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern-2020:
      minVersion: VersionTLS13

-- containers docker-compose.yml

    labels:
      - "traefik.enable=true"

      - "traefik.http.routers.x-web.rule=Host(`beta.x.net`)"
      - "traefik.http.routers.x-web.entrypoints=web"
      - "traefik.http.routers.x-web.middlewares=https-redirect"

      - "traefik.http.routers.x-tls.rule=Host(`beta.x.net`)"
      - "traefik.http.routers.x-tls.entrypoints=websecure"
      - "traefik.http.routers.x-tls.tls.certresolver=letsencrypt"
      - "traefik.http.routers.x-tls.tls.options=modern-2020"
      - "traefik.http.routers.x-tls.middlewares=outside-whitelist"
  - "traefik.http.routers.x-tls.tls.options=modern-2020"

You don't need this line in there as you aren't able to specify tls options on the labels. That's what the config file is for which you defined here:

  - "--providers.file.directory=/configs/"

That will load any options you have in that file for all containers.

I was able to get it working. I needed to do the following:


 - "traefik.http.routers.x-tls.tls.options=modern-2020@file"

Thank you for the help.

Great! If you want it to apply to all containers I believe you can just remove that line all together.

I would believe the 'default' would apply to all containers?

*All containers with tls enabled routers.

And only the default set.

@merid14 @webmastadj was specifically looking at using the modern-2020 TLS options defined.
Could be useful in a scenario where the majority of services are needing a compatible set of TLS options and a 'newer` service will support only TLS1.3.

Or vice-versa.

1 Like

I have posted on how I resolved this on my site, if anyone interested on reading. Hopefully it helps others in the future.

https://www.djpic.net/articles/traefik-v2-secure-tls-and-header-configuration-with-docker-provider/