Docker, Let's encrypt and A+ sertificate

Traefik Traefik v2 (latest)
, ,
1

By default, I receive sert B. I want to tune options for A+, but based on current documentation I cannot do it.

I saw configuration based on traefik.toml file, but how to implement the same, using docker compose?

This is my service

version: "3.7"

services:
    nginx:
        container_name: rs_nginx
        image: nginx:stable-alpine
        restart: unless-stopped
        labels:
            - traefik.enable=true
            - traefik.docker.network=proxy
            - traefik.http.routers.mysite.rule=Host(`sub.domain.com`)
            - traefik.http.routers.mysite.entrypoints=websecure
            - traefik.http.routers.mysite.tls.certresolver=le

networks:
    default:
        external:
            name: proxy

And separated docker-compose.yaml for traefik

version: "3.7"

services:
  reverse-proxy:
    container_name: traefic
    image: "traefik:v2.1"
    ports:
      - "80:80"
      - "443:443"
      - "127.0.0.1:8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "storage:/storage"
    restart: always
    command:
#      - --log.level=DEBUG
#      - --api.insecure
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --certificatesresolvers.le.acme.email=email@example.com
      - --certificatesResolvers.le.acme.storage=/storage/acme.json
      - --certificatesResolvers.le.acme.httpChallenge=true
      - --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
volumes:
  storage:

networks:
  default:
    external:
      name: proxy

image
image1754×981 52.2 KB

2

You could try to add in labels:

- "traefik.tls.options.default.minVersion=VersionTLS12"
3

@Minikea thanks, but it doesn't work for me.

image
image1926×358 35.1 KB

4

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores)

so no other option than file provider.

5

@Minikea I have created traefik.yaml file but the same result. Any ideas?

providers:
    docker:
        exposedByDefault: false
api:
    dashboard: true
    insecure: true
entryPoints:
    web:
        address: ":80"
    websecure:
        address: ":443"
certificatesResolvers:
    le:
        acme:
            email: email@example.com
            storage: /storage/acme.json
            httpChallenge:
                entryPoint: web
http:
    middlewares:
        redirect-to-https:
            redirectscheme:
                scheme: https
    routers:
        http-catchall:
            rule: hostregexp(`{host:.+}`)
            entrypoints: web
            middlewares: redirect-to-https
log:
    level: DEBUG
tls:
    options:
        default:
            minVersion: VersionTLS12

And docker-compose.yaml

version: "3.7"

services:
  reverse-proxy:
    container_name: traefic
    image: "traefik:v2.1"
    ports:
      - "80:80"
      - "443:443"
      - "127.0.0.1:8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik.yaml:/etc/traefik/traefik.yaml:ro"
      - "storage:/storage"
    restart: always
volumes:
  storage:

networks:
  default:
    external:
      name: proxy
6

In the v2, the dynamic configuration and the static configuration must be defined in separated files:


traefik.yml 
entryPoints:
    web:
      address: ":80"
    websecure:
      address: ":443"

api:
  insecure: true
    
log:
  level: DEBUG

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /dynconfig/

certificatesResolvers:
  le:
    acme:
      email: email@example.com
      storage: /storage/acme.json
      httpChallenge:
          entryPoint: web
/dynconfig/myconfig.yml 
http:
  routers:
    http-catchall:
      rule: hostregexp(`{host:.+}`)
      entrypoints: web
      middlewares: redirect-to-https

  middlewares:
    redirect-to-https:
      redirectscheme:
        scheme: https

tls:
  options:
    default:
        minVersion: VersionTLS12
docker-compose.yml 
version: "3.7"

services:
  reverse-proxy:
    image: traefik:v2.1
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      - 127.0.0.1:8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yaml:/etc/traefik/traefik.yaml:ro
      - ./dynconfig/:/dynconfig/
      - storage:/storage
    restart: always

volumes:
  storage:

networks:
  default:
    external:
      name: proxy

You can find examples of the global redirection pattern in the documentation:
https://docs.traefik.io/v2.1/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers

@bobahvas Please open a new topic instead of hijack others topics :wink:

7

@ldez first of all, sorry for old topic :innocent: :blush:

@ldez and thank you very much.
This should work but it doesn't. At least http -> https redirect doesn't work. After this fix I will check sert at ssllabs.

I think something missed in my service configuration

version: "3.7"

services:
    nginx:
        image: nginx:stable-alpine
        container_name: rs_nginx
        restart: unless-stopped
        labels:
            - traefik.enable=true
            - traefik.docker.network=proxy
            - traefik.http.routers.akkords.rule=Host(`staging.rush-sound.ru`)
            - traefik.http.routers.akkords.entrypoints=websecure
            - traefik.http.routers.akkords.tls.certresolver=le
        networks:
            - default
            - akkords

networks:
    default:
        external:
            name: proxy
    akkords: