Unable to set tls options

jhmnieuwenhuis · October 17, 2019, 6:25pm

I want to use tls options.
After reading the documentation i have the following setup.
In my docker-compose file->

- "traefik.http.routers.pgadmin4-websecure.tls.options=foobar"

In dynamic.yaml ->

http:
  routers:
    pgadmin4-websecure:
      rule: "Host(`pgadmin4.jhmnieuwenhuis.com`) && Path(`/`)"
      service:pgadmin4-websecure
      # will terminate the TLS request
      tls:
        options: foobar

tls:
  options:
    foobar:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

When looking at the traefik dashboard is see an error ->

Unknown TLS options : foobar@docker.

I do not know what i am doing wrong ???

trajano · October 17, 2019, 6:58pm

I used TOML in my swarm but I think you're missing a @file

jhmnieuwenhuis · October 17, 2019, 7:54pm

thanks, I added the @file but the error stays.

trajano · October 17, 2019, 11:48pm

Maybe you didn't specify your file provider in traefik.

dduportal · October 18, 2019, 6:15am

Following traajano's question: can you provide a bit more information to see what could go wrong? Thanks a lot!

jhmnieuwenhuis · October 18, 2019, 7:12am

B.t.w this configuration works.
I can enter pgadmin4.jhmnieuwenhuis.com in the browser and it connects as
https://pgadmin4.jhmnieuwenhuis.com.
There is an error in the logs ->

Cannot start the provider *file.Provider: yaml: line 6: could not find expected ':'"

The problem is that i get a poor rating in ssllabs and that is the reason i want to use tls options.

The tls options from the dynamic.yaml file are not applied and the rating keeps beeing poor.

My traeffik docker-compose file->

version: "3.4"
services:
  proxy:
    image: csprod2.jhmnlocal:18444/dckr4drpl/a3102-traefik:2.0.2

    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.filename=dynamic.yaml"
      - "--global.sendAnonymousUsage=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myhttpchallenge.acme.email=jhmnieuwenhuis@gmail.com"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /localDockerVolumes/traefik/dynamic.yaml:/dynamic.yaml
      - type: bind
        source: /localDockerVolumes/letsencrypt
        target: /letsencrypt
      - type: bind
        source: /localDockerVolumes/traefik
        target: /etc/traefik
    networks:
    - mynetwork
    ports:
    - target: 80
      published: 80
      mode: host
    - target: 443
      published: 443
      mode: host
    - target: 8080
      published: 8080
      mode: host
    deploy:
      mode: global
      placement:
        constraints:
          - node.labels.type == prod
          - node.labels.nodename == prod1
      restart_policy:
        condition: on-failure
networks:
  mynetwork:
    external: true

My pgadmin4 docker-compose file ->

version: "3.7"
services:

  pgadmin4:
    image: csprod2.jhmnlocal:18444/dckr4mn/a3102-pgadmin4:4.13
    env_file: env-pgadmin4.txt
    volumes:
      - type: bind
        source: /localDockerVolumes/pgadmin4-volume
        target: /pgadmin4/queries
    networks:
      - mynetwork
    secrets:
      - source: pgadmin_passwd
        target: pgadmin_passwd
        uid: '1000'
        gid: '1000'
        mode: 0444
      - source: pgadmin_user
        target: pgadmin_user
        uid: '1000'
        gid: '1000'
        mode: 0444
    ports:
      - "5050:5050"
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.type == prod
          - node.labels.nodename == prod1
      update_config:
        parallelism: 2
        delay: 10s
      restart_policy:
        condition: on-failure

    labels:

      - "traefik.enable=true"
      - "traefik.docker.network=mynetwork"

      # Set up redirect on insecure port to https 443 (using an arbitrary middleware name of `pgadmin4-redirect`)
      # `pgadmin4-web` is the router name for http to https redirection
      - "traefik.http.routers.pgadmin4-web.entrypoints=web"
      - "traefik.http.routers.pgadmin4-web.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.pgadmin4-redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.pgadmin4-web.middlewares=pgadmin4-redirect@docker"

      # Handle secure traffic (requires a separate frontend router for TLS)
      # `pgadmin4-websecure` is the router name for TLS connections
      - "traefik.http.routers.pgadmin4-websecure.entrypoints=websecure"
      - "traefik.http.routers.pgadmin4-websecure.rule=Host(`pgadmin4.jhmnieuwenhuis.com`)"
      - "traefik.http.routers.pgadmin4-websecure.tls=true"
      - "traefik.http.routers.pgadmin4-websecure.tls.options=foobar@file"

      # Define which port to connect to the service on (backend)
      - "traefik.http.services.pgadmin4-service.loadbalancer.server.port=5050"


networks:
    mynetwork:
      external: true

dynamic.yaml->

http:
  routers:
    pgadmin4-websecure:
      rule: "Host(`pgadmin4.jhmnieuwenhuis.com`) && Path(`/`)"
      service:pgadmin4-service
      # will terminate the TLS request
      tls:
        options: foobar

tls:
  options:
    foobar:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256```

Traeffik logfile ->


[hn@cldevel stack]$ docker service logs -f proxy_proxy
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Configuration loaded from flags."
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Traefik version 2.0.2 built on 2019-10-09T19:26:05Z"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"watch\":true,\"filename\":\"dynamic.yaml\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myhttpchallenge\":{\"acme\":{\"email\":\"jhmnieuwenhuis@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="No default certificate, generating one"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Start TCP Server" entryPointName=websecure
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Start TCP Server" entryPointName=traefik
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Starting provider *file.Provider {\"watch\":true,\"filename\":\"dynamic.yaml\"}"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Start TCP Server" entryPointName=web
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=error msg="Cannot start the provider *file.Provider: yaml: line 6: could not find expected ':'"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Starting provider *acme.Provider {\"email\":\"jhmnieuwenhuis@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"myhttpchallenge\",\"store\":{},\"ChallengeStore\":{}}"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=info msg="Testing certificate renew..." providerName=myhttpchallenge.acme
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Configuration received from provider myhttpchallenge.acme: {\"http\":{},\"tls\":{}}" providerName=myhttpchallenge.acme
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Adding certificate for domain(s) pgadmin4.jhmnieuwenhuis.com"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="No default certificate, generating one"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Provider connection established with docker 19.03.3 (API 1.40)" providerName=docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Filtering disabled container" providerName=docker container=proxy-proxy-5uohudn56b25m3dlkohpvfffl-5flbibnh6gmz83wtu05kziqxj-3340e94eacea18fdce664de616f24d8788676e28c6f41d8b85895a8cce26346d
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Filtering disabled container" providerName=docker container=man-psql-1-keqvtcoz3f60nvdpeq9tosa3z-33c9cc11ff23f4961604e23043d452f8765b0c66562c9cbaaf26a86da8e832a5
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Filtering disabled container" providerName=docker container=man-gitea-1-majz4m3te58rbga99igp5d6sd-ff76dcac3218d82d5e3a1a0da276dd2846aebe914389f32092326a52eedd4b8f
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"pgadmin4-web\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"pgadmin4-redirect@docker\"],\"service\":\"pgadmin4-service\",\"rule\":\"Host(`pgadmin4.jhmnieuwenhuis.com`)\"},\"pgadmin4-websecure\":{\"entryPoints\":[\"websecure\"],\"service\":\"pgadmin4-service\",\"rule\":\"Host(`pgadmin4.jhmnieuwenhuis.com`)\",\"tls\":{\"options\":\"foobar@file\"}}},\"middlewares\":{\"pgadmin4-redirect\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}}},\"services\":{\"pgadmin4-service\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.74:5050\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Adding certificate for domain(s) pgadmin4.jhmnieuwenhuis.com"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="No default certificate, generating one"
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating middleware" entryPointName=web routerName=pgadmin4-web@docker serviceName=pgadmin4-service middlewareName=pipelining middlewareType=Pipelining
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=pgadmin4-web@docker serviceName=pgadmin4-service
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating server 0 http://10.0.1.74:5050" serviceName=pgadmin4-service serverName=0 entryPointName=web routerName=pgadmin4-web@docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Added outgoing tracing middleware pgadmin4-service" middlewareType=TracingForwarder middlewareName=tracing routerName=pgadmin4-web@docker entryPointName=web
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating middleware" entryPointName=web routerName=pgadmin4-web@docker middlewareType=RedirectScheme middlewareName=pgadmin4-redirect@docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Setting up redirection to https " middlewareType=RedirectScheme middlewareName=pgadmin4-redirect@docker entryPointName=web routerName=pgadmin4-web@docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Adding tracing to middleware" routerName=pgadmin4-web@docker middlewareName=pgadmin4-redirect@docker entryPointName=web
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating middleware" middlewareType=Pipelining routerName=pgadmin4-websecure@docker serviceName=pgadmin4-service entryPointName=websecure middlewareName=pipelining
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating load-balancer" serviceName=pgadmin4-service entryPointName=websecure routerName=pgadmin4-websecure@docker
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating server 0 http://10.0.1.74:5050" entryPointName=websecure routerName=pgadmin4-websecure@docker serviceName=pgadmin4-service serverName=0
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Added outgoing tracing middleware pgadmin4-service" middlewareType=TracingForwarder entryPointName=websecure routerName=pgadmin4-websecure@docker middlewareName=tracing
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
proxy_proxy.0.5flbibnh6gmz@csprod1.jhmnlocal    | time="2019-10-18T07:05:11Z" level=debug msg="unknown TLS options: foobar@file" routerName=pgadmin4-websecure@docker entryPointName=websecure

jhmnieuwenhuis · October 18, 2019, 7:58am

It works now !!

I replaced the dynamic.yaml file wite a toml file and simplified it.

## Dynamic configuration
[tls.options]
  [tls.options.foobar]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    ]

No more error in the traefik dashboard.

I guess there was an error in the dynamic.yaml file ..

Now the ssllabs test shows

Is there any tls setting or other setting that gets me to A+ instead of A ?

Thanks for all the support.
It's nice to know people care !!!

Hans

trajano · October 20, 2019, 3:43am

There's some extra headings you can set. Check my configuration, it gets A+

jhmnieuwenhuis · October 20, 2019, 7:57pm

Thanks, I tried the the settings in your traefik.toml.
Still no A+, only A.

I notice in ssllabs check that TlsVersion 1.0 still enabled.
Can i disable that in traefik ?

Regards,
hans

trajano · October 21, 2019, 10:42pm

I think you may not be setting the file correctly because your configuration already says minimum is TLSv1.2 so if you're getting it working with TLSv1.0 then that would imply that that your TLS options is not being set correctly.

Topic		Replies	Views
Traefik docker config for tls options Traefik v2 (latest) docker , file	17	7602	February 16, 2021
Reliably set TLS options with the docker provider Traefik v2 (latest) docker	1	1111	April 3, 2022
Tls.option are not applied in traefik.toml Traefik v2 (latest) docker	2	719	October 4, 2020
Documentation (syntax) for tls.options Traefik v2 (latest) docker	3	448	February 10, 2020
Unable to force VersionTLS12 Traefik v2 (latest) docker	3	980	January 29, 2020

Unable to set tls options

Related Topics