Yet another TLS issue :D

Hey all!

I searched the forum and tried several different suggested but could quite figure it out.
I try to disable every TLS version <= TLS 1.1 and this is what I have:

traefik.toml

[global]
  checkNewVersion = true
[log]
  level = "WARN"
[entryPoints]
  [entryPoints.web-secure]
    address = ":443"
[tls]
  [tls.options]
    [tls.options.default]
      sniStrict = true
      minVersion = "VersionTLS12"
[providers.docker]
  exposedByDefault = false
[api]
  insecure = true
[certificatesResolvers.le.acme]
  email = "admin@domain.tl"
  storage = "/acme.json"
  [certificatesResolvers.le.acme.tlsChallenge]

docker-compose.yml

version: "3.3"
services:
  traefik:
    image: "traefik:v2.1"
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./traefik.toml:/traefik.toml" # Traefik configuration file
      - "./acme.json:/acme.json"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  ide:
    image: containous/whoami:v1.3.0
    ports:
      - "3000:80"
    container_name: ide
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ide.rule=Host(`sub.domain.tl`)"
      - "traefik.http.routers.ide.tls=true"
      - "traefik.http.routers.ide.tls.certresolver=le"
      - "traefik.http.routers.ide.entrypoints=web-secure"

I checked with several different tools but they all list TLS 1.0 and TLS 1.1 to be available..

Please help :slight_smile:

Hello @joseftsch,

If you want to use the tls options on your router, you have to configure it via the labels too:

https://docs.traefik.io/v2.1/routing/providers/docker/#routers

- "traefik.http.routers.ide.tls.options=default"

Hey @daniel.tomcej

thanks for your feedback!
Tried it - but doesnt make any difference - I get the same results. TLS 1.0 and TLS 1.1 is still offered.

cheers
josef

the TLS option should be in a dynamic file, not in the static one.
see Set TLS default option with .toml file - #2 by jbd - Traefik v2 - Traefik Labs Community Forum

That worked! Thanks a lot :slight_smile:

1 Like

Exactly :slight_smile:

the TLS option should be in a dynamic file, not in the static one.

1 Like