Adds more secure TLS defaults (min. TLS v1.2, strong ciphers, prevents downgrade attacks on TLS and DTLS)

templates/docker-compose.traefik.yml.j2

@@ -28,6 +28,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - /home/{{ docker_user }}/traefik/traefik.toml:/traefik.toml
       - /home/{{ docker_user }}/traefik/acme.json:/acme.json
+      - /home/{{ docker_user }}/traefik/rules:/rules
 {% if traefik.expose_externally | default(False) %}
     labels:
       - "traefik.enable=true"

templates/t2-rules-tls-options.toml.j2

@@ -0,0 +1,17 @@
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+    sniStrict = true
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
+  ]
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"

templates/traefik.toml.j2

@@ -18,13 +18,14 @@ defaultEntryPoints = ["web", "websecure"]
 #  dashboard = true
 #  insecure = true
 
-[file]
-watch = true
-
 [providers.docker]
   endpoint = "unix:///var/run/docker.sock"
   exposedByDefault = false
 
+[providers.file]
+  directory = "/rules"
+  watch = true
+
 {% if traefik.enable_acme %}
 [certificatesResolvers.defaultresolver.acme]
 {% if traefik.use_acme_staging %}