I have a Nexus server that is hosted in docker, alongside a Traefik instance.
If run testssl on the domain at port 443, I get the following, indicating it has support for TLS1.2 still:
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
This is my traefik.yml file:
log:
level: ERROR
entryPoints:
web:
address: :80
websecure:
address: :443
http:
routers:
http-catch-all:
rule: hostregexp(`{host:.+}`)
entrypoints: web
middlewares:
- always-https
middlewares:
always-https:
redirectscheme:
scheme: https
providers:
docker:
exposedByDefault: false
certificatesResolvers:
myresolver:
acme:
dnschallenge:
provider: route53
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
storage: /letsencrypt/acme.json
and this is my docker-compose file:
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: always
command:
- "--configFile=/traefik.yml"
ports:
- 80:80
- 443:443
environment:
- "AWS_ACCESS_KEY_ID=***"
- "AWS_SECRET_ACCESS_KEY=***"
- "AWS_REGION=us-east-1"
- "AWS_HOSTED_ZONE_ID=***"
networks:
- nexus
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "/docker/letsencrypt:/letsencrypt"
- "/docker/traefik/traefik.yml:/traefik.yml:ro"
logging:
driver: "json-file"
options:
max-file: "5"
max-size: "10m"
nexus:
container_name: nexus
image: sonatype/nexus3
restart: always
ports:
- 8081:8081
networks:
- nexus
volumes:
- /nexus-data:/nexus-data
labels:
- traefik.http.routers.nexus.rule=Host(`my-hostname`)
- traefik.enable=true
- traefik.http.routers.nexus.entrypoints=websecure
- traefik.http.routers.nexus.tls=true
- traefik.http.routers.nexus.tls.certresolver=myresolver
logging:
driver: "json-file"
options:
max-file: "5"
max-size: "10m"
networks:
nexus:
external: true
I was following this page and from that I added this to the botom of my traefik.yml file above:
tls:
options:
default:
minVersion: VersionTLS13
mintls13:
minVersion: VersionTLS13
and to the labels of the nexus service in my docker-compose.yml file, I added:
- traefik.http.routers.nexus.tls.options=mintls13@file
However when I reload the container, I get this in the logs:
traefik | time="2025-01-19T15:30:08Z" level=error msg="building router handler: unknown TLS options: mintls13@file" entryPointName=websecure routerName=nexus@docker
traefik | time="2025-01-19T15:30:08Z" level=error msg="unknown TLS options: mintls13@file" entryPointName=websecure routerName=nexus@docker
and I still get the same output from testssl, indicating it's still supporting a minimum of TLS 1.2. If i remove the mintls13 entry in both the traefik.yml & docker-compose.yml files - meaning the default TLS minimum version of 1.3 should be picked, based on what it says in the traefik docs:
The default option is special. When no tls options are specified in a tls router, the default option is used.
I don't get any errors, but testssl is still telling me it supports a minimum of TLS 1.2, so it's clearly not seeing the TLS default options i've set in traefik.yml either.
If I bring down both nexus & traefik services, testssl sees nothing there, but if I start up just the traefik service, I get the same testssl output as above, with a minimum of TLS 1.2
Where am I going wrong?
tls (and http) is Traefik dynamic config. Place it in a separate file and load it in static config via providers.file (doc).
Your http-to-https redirect can be placed globally on entrypoint, ceck simple Traefik example.
Note that you should update your Traefik image version.