Disabling TLS 1.0 and TLS 1.1 in Traefik
How to configure a minimum tls version in Traefik to disable TLS 1.1 and 1.0.
By. Jacob
Edited: 2025-08-29 17:16
To disable TLS 1.0 and TLS 1.0 in Traefik, this is what I have tested to work:
1. Edit traefik.yml config file, and add a dynamic configuration:
providers:
file:
directory: "/etc/traefik-dynamic"
The providers.file.directory can be added if it doesn't exist already. I have other settings there as well, so I added file.directory to the top of providers. Not sure the ordering matters.
2. Create the config/dynamic/tls.yml file in your host-OS filesystem:
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
mintls13:
minVersion: VersionTLS13
This will cause Traefik to automatically use the options under "default" for services that don't have a specific options specified in it's labels. E.g. mintls13@file can be used in docker-compose labels if you want to specify different options for a specific service.
traefik.http.routers.servicename.tls.options: 'mintls13@file'
Replace servicename with your service name. Remember that this is only if you need a service to use different settings from the ones listed under default — you can leave out mintls13 entirely if you don't need it.
3. Edit the docker-compose.yml of the Traefik service to add the new config — it should look a bit like this:
services:
traefik:
image: traefik:v2.5
# ...
volumes:
- ./config/etc/traefik:/etc/traefik
- ./config/etc/dynamic:/etc/traefik-dynamic
- ./log:/var/log/traefik
Please note, this is not a full docker-compose.yml file, as I only intended to show how to make the proper bind-mounts.
If you are still having problems, I recommend you enable logging and check whether the dynamic config is being read by Traefik.
Remember to restart the Traefik service to be sure the configuration is loaded is read.
The Traefik documentation can feel convoluted to newcomers, but I recommend you read the relevant parts slowly and carefully. It is, unfortunately, lacking in practical examples, and the situation is only worsened by the fact that there are multiple ways to do the same thing — not to mention different formats for the configuration files.
Enabling logging
The Traefik log files will reveal whether the dynamic configuration file is being read, so it can be useful to increase the log-level while working on the configuration.
To get more info in the log, set the log level to "DEBUG" in traefik.yml:
log: filePath: "/var/log/traefik/traefik.json" format: json level: DEBUG providers: # ...
Controlling the Traefik service
This depends on your setup, but I use simple docker commands while developing:
docker compose down
docker compose build
docker compose up
You probably do not need to re-build the container, as the configuration file will be re-read by Traefik when the container starts.
If you need to look around inside the container, use this:
docker exec -it traefik ls
This will execute "ls" inside the container, you can replace it with other commands as needed. You might need to modify the Dockerfile if you want to include things like nano and bash, but it really shouldn't be needed to mess around in there much.
Links
- TLS Options - doc.traefik.io
Tell us what you think: