From a521b213a92df12eaa1c379bba3e57a8b200dc14 Mon Sep 17 00:00:00 2001
From: Paul <paul@zom.bi>
Date: Sat, 5 Sep 2020 06:30:42 +0200
Subject: [PATCH 1/2] bump traefik version

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b5d254e..5f6081f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,7 @@ version: '2'
 
 services:
   proxy:
-    image: traefik:v2.1
+    image: traefik:v2.2
     ports:
       - "80:80"
       - "443:443"

From 1c69a41d61789e583072e11b7352b7b80976efa7 Mon Sep 17 00:00:00 2001
From: Paul <paul@zom.bi>
Date: Fri, 6 Nov 2020 02:16:02 +0100
Subject: [PATCH 2/2] Let Traefik only support TLS12 and TLS13

---
 config/dynamic_conf.toml | 14 ++++++++++++++
 config/traefik.toml      |  7 +++++++
 docker-compose.yml       |  2 +-
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 config/dynamic_conf.toml

diff --git a/config/dynamic_conf.toml b/config/dynamic_conf.toml
new file mode 100644
index 0000000..134c242
--- /dev/null
+++ b/config/dynamic_conf.toml
@@ -0,0 +1,14 @@
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+    ]
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
+
diff --git a/config/traefik.toml b/config/traefik.toml
index c72af33..4703d32 100644
--- a/config/traefik.toml
+++ b/config/traefik.toml
@@ -21,6 +21,7 @@
 
 [api]
   dashboard = true
+  insecure = true
 
 [metrics]
   [metrics.prometheus]
@@ -34,6 +35,11 @@
   exposedByDefault = false
   defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)"
 
+# we are loading an additional file, as some options can only be defined
+# in a 'dynamic' file config, not in this main config file.
+[providers.file]
+  filename = "/etc/traefik/dynamic_conf.toml"
+
 [certificatesResolvers.default.acme]
   email = "hostmaster@zom.bi"
   storage = "/cert/acme.json"
@@ -49,3 +55,4 @@
 [[tls.certificates]]
   certFile = "cert/grun.host.origin.pem"
   keyFile = "cert/grun.host.origin.key"
+
diff --git a/docker-compose.yml b/docker-compose.yml
index 5f6081f..02b3593 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,7 @@ version: '2'
 
 services:
   proxy:
-    image: traefik:v2.2
+    image: traefik:v2.3
     ports:
       - "80:80"
       - "443:443"