Traefik TLS configuration SSLlabs +A

This article shows how to improve Traefik TLS configuration and security for your Traefik v2 deployment. As a result of following this good practices, your configuration will receive an +A score at SSLlabs.

Traefik Configuration

Traefik Configuration can be set in two different kind of configuration files static and dynamic being written in two different formats YAML or TOML. For this article we are working with the YAML configuration format.

We will call our configuration file dynamic.yml and it will provide two blocks of information:

  1. TLS Options
  2. Secure HTTP Headers

    tls:
    options:
    default:
      minVersion: VersionTLS12
    
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
    
      curvePreferences:
        - CurveP521
        - CurveP384
    
      sniStrict: true
    
    http:
    middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15768000
    

The configuration file dynamic.yml can be added to your container image or you can place it in your mapped volume folder. To call the configuration file, just add the follow command in your Traefik docker-compose.

--providers.file.filename=/etc/traefik/dynamic.yml

If you need more information regarding Traefik v2 Docker Swarm configuration, just follow this link https://adminsecurity.guru/traefik-migrating-v1-to-v2/

Service configuration

Now that our Traefik is properly configured with TLS Options and Secure Headers configuration, we just need to enable the Headers Middleware in our application labels. Keep in mind that we do not need to enable the TLS Option’s because we set it as default and Traefik will automatically apply to all routers.

The label we need to add is:

- "traefik.http.routers.adminsec.middlewares=secHeaders@file"

After the configuration is applied you can visit https://www.ssllabs.com/ssltest/ and check which is the score of your TLS configuration. If you follow this article properly you should receive +A.

AdminSecurity.Guru Results:

https://www.ssllabs.com/ssltest/analyze.html?d=adminsecurity.guru&hideResults=on&latest

If you need assistance on Traefik configuration or deployment you can always contact us at Gonkar IT Security LTD following this link: https://gonkar.com/gonkar-team-support/