From 1c69a41d61789e583072e11b7352b7b80976efa7 Mon Sep 17 00:00:00 2001 From: Paul Date: Fri, 6 Nov 2020 02:16:02 +0100 Subject: [PATCH] Let Traefik only support TLS12 and TLS13 --- config/dynamic_conf.toml | 14 ++++++++++++++ config/traefik.toml | 7 +++++++ docker-compose.yml | 2 +- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 config/dynamic_conf.toml diff --git a/config/dynamic_conf.toml b/config/dynamic_conf.toml new file mode 100644 index 0000000..134c242 --- /dev/null +++ b/config/dynamic_conf.toml @@ -0,0 +1,14 @@ +[tls.options] + [tls.options.default] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_CHACHA20_POLY1305_SHA256", + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + ] + [tls.options.mintls13] + minVersion = "VersionTLS13" + diff --git a/config/traefik.toml b/config/traefik.toml index c72af33..4703d32 100644 --- a/config/traefik.toml +++ b/config/traefik.toml @@ -21,6 +21,7 @@ [api] dashboard = true + insecure = true [metrics] [metrics.prometheus] @@ -34,6 +35,11 @@ exposedByDefault = false defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)" +# we are loading an additional file, as some options can only be defined +# in a 'dynamic' file config, not in this main config file. +[providers.file] + filename = "/etc/traefik/dynamic_conf.toml" + [certificatesResolvers.default.acme] email = "hostmaster@zom.bi" storage = "/cert/acme.json" @@ -49,3 +55,4 @@ [[tls.certificates]] certFile = "cert/grun.host.origin.pem" keyFile = "cert/grun.host.origin.key" + diff --git a/docker-compose.yml b/docker-compose.yml index 5f6081f..02b3593 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: proxy: - image: traefik:v2.2 + image: traefik:v2.3 ports: - "80:80" - "443:443"