jamct
commented
4 years ago Will be fixed next week. Is on my agenda as well.
Open ghost opened 4 years ago
jamct
commented
4 years ago Will be fixed next week. Is on my agenda as well.
jamct
commented
4 years ago I just added a new branch to test the new feature:
ciphers: in values.yaml.You can see the code at 05-global-ingress.yaml
After some testing (please give some feedback) I will add it to master branch
ghost
commented
4 years ago I'm testing your feature-ssl branch. I would suggest to add more settings:
minVersion: VersionTLS12
maxVersion: VersionTLS13
# optional - very strict SNI
#sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
- CurveP256Please remove "- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" which is considerd to be weak.
Trying to apply your original template fails here:
❯ kubectl apply -f templates/ingress/05-global-ingress.yml
middleware.traefik.containo.us/global-redirect-http unchanged
ingressroute.traefik.containo.us/ingressroute-allredirect unchanged
error: error parsing templates/ingress/05-global-ingress.yml: error converting YAML to JSON: yaml: line 9: could not find expected ':'This works fine:
❯ cat << EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
# a collection of secure cipher suites (tested with sslabs.com)
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_AES_128_GCM_SHA256"
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_FALLBACK_SCSV"
minVersion: VersionTLS12
maxVersion: VersionTLS13
curvePreferences:
- CurveP521
- CurveP384
- CurveP256
EOF
I've tested the traefik ciphers - weak ciphers are allowed - i would strongly recommend to change the default settings to disallow weak ciphers...
https://docs.traefik.io/https/tls/