I have a configuration related problem with traefik v2.3.1 (running from docker with the docker provider), while also wanting to force a minVersion of VersionTLS12 to all https connections entering via the single Entrypoint I have defined. I have a working set-up with a wildcard Letsencrypt certificate obtained via en dnsChallengse where the wildcard certificate is retrieved only once for alle containers sharing the same configuration (which is awesome).
This is the traefik.yml inside the traefik folder:
entryPoints:
websecure:
address: ":443"
http:
tls:
options: myoptions
providers:
docker:
exposedByDefault: false
api:
dashboard: true
log:
level: INFO
accessLog: {}
tls:
options:
myoptions:
minVersion: VersionTLS12
certificatesResolvers:
myresolver:
acme:
# Using the Let's Encrypt staging server
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: webmaster@example.com
storage: /letsencrypt/acme.json
dnsChallenge:
provider: route53
delayBeforeCheck: 0
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
This is the Dockerfile inside the traefik folder:
FROM traefik:v2.3.1
COPY traefik.yml /etc/traefik/traefik.yml
This is the docker-compose.yml:
version: "2.4"
services:
traefik:
build: traefik/
container_name: traefik
hostname: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- "443:443"
environment:
- TZ=Europe/Amsterdam
- "AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}"
- "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}"
- "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}"
volumes:
- ./data/letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls.certresolver=myresolver
- traefik.http.routers.api.tls.domains[0].main=*.example.com
- traefik.http.routers.api.tls.domains[0].sans=*.example.com
#- traefik.http.routers.api.tls.options=myoptions
- traefik.http.routers.api.service=api@internal
whoami:
image: jwilder/whoami
hostname: whoami
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entrypoints=web
- traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.tls.certresolver=myresolver
- traefik.http.routers.whoami.tls.domains[0].main=*.example.com
- traefik.http.routers.whoami.tls.domains[0].sans=*.example.com
#- traefik.http.routers.whoami.tls.options=myoptions
- traefik.http.routers.whoami.service=whoami
- traefik.http.services.whoami.loadbalancer.server.port=8000
.env file with dns provider secrets:
AWS_HOSTED_ZONE_ID=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
I build and start the containers and monitor the traefik log output (for warnings or errors):
docker-compose --env-file .env up --build -d && docker-compose logs -f
Then I use another terminal window (or browser if you like) to assert that I can reach the dashboard and container website via SSL:
-
curl https://traefik.example.com/dashboard/--> OK -
curl https://whoami.example.com--> OK
Then I use nmap to test the ssl config:
nmap --script ssl-enum-ciphers -p 443 localhost
It shows TLSv1.0 is enabled, which I don't want:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
What I don't get is that I have my TLS setting applied on a (dynamic) router config level, but the actual settings concerns all TLS socket connections on a specific entrypoint port (websecure), so that makes me think that this is a setting that could be solved with a single (static) configuration setting inside traefik.yml. I've tried numerous settings but have failed so far. What have I not understood?