TLS.MinVersion entrypoint is not working properly in Traefik 1.7.26

What I expect to see

I have configured an entrypoint to use the minimum TLS version 1.2. I expect to see that traefik will discard any request which is using TLS version lower than 1.2

What did you see instead?

I see that I can connect to the url while using HTTP1.1.

curl -i --tlsv1.1 https://****************/ --http1.1                                                                                                                                                                                         
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Content-Length: 1479
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Sep 2020 15:43:02 GMT
Etag: W/"5c7-173c8d0d0f8"
Last-Modified: Fri, 07 Aug 2020 12:06:35 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.7.26
Codename:     maroilles
Go version:   go1.14.6
Built:        2020-07-28_03:45:27PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

We are running traefik on Kubernetes and the cloud provider is AWS. Here is the deployment file of traefik

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "20"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"traefik","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"traefik"}},"template":{"metadata":{"labels":{"app":"traefik"}},"spec":{"containers":[{"args":["--api","--kubernetes","--entryPoints=Name:http Address::80","--entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key","--defaultentrypoints=http,https"],"image":"docker.cognigy.com:5000/traefik:1.7.24-alpine","name":"traefik","ports":[{"containerPort":80,"name":"http"},{"containerPort":443,"name":"https"}],"resources":{"limits":{"cpu":"2000m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"70Mi"}},"volumeMounts":[{"mountPath":"/var/run/secrets/","name":"traefik"}]}],"imagePullSecrets":[{"name":"cognigy-registry-token-prod"}],"volumes":[{"name":"traefik","secret":{"items":[{"key":"tls.crt","path":"traefik.cert"},{"key":"tls.key","path":"traefik.key"}],"secretName":"cognigy-traefik"}}]}}}}
  creationTimestamp: "2020-07-27T07:47:51Z"
  generation: 20
  name: traefik
  namespace: default
  resourceVersion: "18706325"
  selfLink: /apis/apps/v1/namespaces/default/deployments/traefik
  uid: f800da16-ed0f-4181-a749-9e1e48cf17a2
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: traefik
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: traefik
    spec:
      containers:
      - args:
        - --api
        - --kubernetes
        - --entryPoints=Name:http Address::80
        - --entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key
        - --entryPoints=TLS.MinVersion:VersionTLS12
        - --entryPoints=TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
          TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - --defaultentrypoints=http,https
        - --metrics.prometheus=true
        - --logLevel=DEBUG
        image: traefik:v1.7.26-alpine
        imagePullPolicy: IfNotPresent
        name: traefik
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        resources:
          limits:
            cpu: "2"
            memory: 200Mi
          requests:
            cpu: 200m
            memory: 70Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/
          name: traefik
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: cognigy-registry-token-prod
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: traefik
        secret:
          defaultMode: 420
          items:
          - key: tls.crt
            path: traefik.cert
          - key: tls.key
            path: traefik.key
          secretName: cognigy-traefik
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2020-09-02T09:54:06Z"
    lastUpdateTime: "2020-09-02T09:54:06Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2020-07-27T08:04:22Z"
    lastUpdateTime: "2020-09-07T14:07:35Z"
    message: ReplicaSet "traefik-7fc6c996" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 20
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1


Here you can see that I configured TLS.MinVersion and TLS.CipherSuites but still I can use lower TLS version with HTTP1.1 protocol.

Debug log

Here is the debug while I am connecting using TLS 1.1 and HTTP1.1

2020-09-08T07:58:45.717003440Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717042622Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://100.96.12.5:8000"
2020-09-08T07:58:45.717053397Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717066067Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717075621Z time="2020-09-08T07:58:45Z" level=debug msg="Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel."
2020-09-08T07:58:45.802349693Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: Round trip: http://100.96.12.5:8000, code: 200, Length: 1479, duration: 85.16496ms tls:version: 302, tls:resume:false, tls:csuite:c013, tls:server:dev.cognigy.ai"
2020-09-08T07:58:45.802379905Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.802392128Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.802402549Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"

Did I configured something wrong here?

Hello,

The TLS options must be define in the same flag as entrypoint definition.

- --entryPoints=Name:http Address::80
- --entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Thanks a lot. It works now. Just a heads up, TLS.CipherSuites does not work in the same entrypoint definition showing "Error preparing server: error creating TLS config: invalid CipherSuite: "

But without ChiperSuite I can block the request which is using the lower TLS version.

It's because there are some whitespace in the definition.

the fix:

- --entryPoints=Name:http Address::80
- --entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.