Most of the servers I deploy to and manage here at Grinnell College are now “Dockerized”, and all of those use Traefik to manage traffic, of course. Before a web app or server can be opened for access to the world here, it has to pass a vulnerability scan, and I’m not privy to the specifics of that scan. However, I do know that “weak cipher suites” are a common source of failure among my newest servers. It took a couple of weeks of searching, and trial/error solution attempts to identify the nature and specific source of these weaknesses, and to eradicate them. In my case Traefik was the “source” and the solution was/is to add the following configuration in the applicable docker-compose.yml files, or docker run… command:

      --entrypoints="Name:http Address::80 Redirect.EntryPoint:https" \

In a traefik.toml file the syntax should look something like this in the “[entryPoints.https.tls]” section:

  minVersion = "VersionTLS12"
  cipherSuites = [

In this code snippet, pulled from, the second --entryPoints line holds the key. That line specifies a TLS.MinVersion that excludes most of the older, weak default ciphers. It also overrides the default suites with a short list of stronger suites.

And that’s a wrap. Until next time…