Most of the servers I deploy to and manage here at Grinnell College are now “Dockerized”, and all of those use Traefik to manage traffic, of course. Before a web app or server can be opened for access to the world here, it has to pass a vulnerability scan, and I’m not privy to the specifics of that scan. However, I do know that “weak cipher suites” are a common source of failure among my newest servers. It took a couple of weeks of searching, and trial/error solution attempts to identify the nature and specific source of these weaknesses, and to eradicate them. In my case Traefik was the “source” and the solution was/is to add the following configuration in the applicable docker-compose.yml files, or docker run… command:

      --entrypoints="Name:http Address::80 Redirect.EntryPoint:https" \
      --entryPoints="Name:https Address::443 TLS TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" \
      --defaultentrypoints="http,https"

In a traefik.toml file the syntax should look something like this in the “[entryPoints.https.tls]” section:

[entryPoints.https.tls]
  minVersion = "VersionTLS12"
  cipherSuites = [
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
   ]

In this code snippet, pulled from https://github.com/McFateM/docker-bootstrap/blob/master/files/docker-compose.yml, the second --entryPoints line holds the key. That line specifies a TLS.MinVersion that excludes most of the older, weak default ciphers. It also overrides the default suites with a short list of stronger suites.

And that’s a wrap. Until next time…