Traefik has enabled (I don’t know why) TLS < 1.2 by default.
And if you try to test network with SSL Labs you will get B ranking because of that. So how to correct it?
SSL dynamic configuration
This is my ssl_config.yml file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| tls:
options:
mytls:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
curvePreferences:
- CurveP521
- CurveP384
mintls13:
minVersion: VersionTLS13
|
Update configuration of your traefik with folowing to load configuration
1
2
3
4
5
6
7
8
9
10
| # other file configuration
providers:
# other providers
file:
filename: "/tls_config.yml"
watch: true
# rest of configuration
|
Enabling TLS options
To enable configuration add following line to labels in your docker-compose.yml file
1
| - "traefik.http.routers.<your-router-name>.tls.options=mytls@file"
|
This is my 100DaysToOffload 2/100 post.