HTTP 400 error after setting cipher suites in Traefik

In an earlier post, I figured how to turn off TLS 1.0 and 1.1 in Traefik. The security consultant wants us to only support certain cipher suites so I modified my traefik config to the following:

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"

    mintls13:
      minVersion: VersionTLS13

  certificates:
    - certFile: /storage/certificates/abc.def.com/fullchain.pem
      keyFile: /storage/certificates/abc.def.com/privkey.pem

Reference I was using for the cipherSuites options: https://www.spad.uk/posts/practical-configuration-of-traefik-as-a-reverse-proxy-for-docker-updated-for-2023/

Now, I'm hitting into this: HTTP 400 Bad Request (Powered by Swoole)

I checked logs of appwrite-traefik and appwrite - no errors at all.

What are the logs for docker compose logs traefik ?

No such container called traefik

• docker _compose_ logs traefik

$ docker-compose logs traefik appwrite-traefik | time="2024-03-19T17:38:41Z" level=info msg="Configuration loaded from flags." appwrite-traefik | time="2024-03-19T17:38:43Z" level=error msg="the router appwrite_realtime_wss@docker uses a non-existent resolver: dns"

Where are you setting this?

What about docker compose logs appwrite?

$ docker-compose logs appwrite appwrite | Worker 1 started successfully appwrite | Worker 2 started successfully appwrite | Worker 3 started successfully appwrite | Worker 5 started successfully appwrite | Worker 4 started successfully appwrite | Worker 6 started successfully appwrite | Worker 7 started successfully appwrite | Worker 9 started successfully appwrite | Worker 8 started successfully appwrite | Worker 10 started successfully appwrite | Worker 11 started successfully appwrite | Worker 12 started successfully appwrite | [Setup] - Server database init started... appwrite | [Setup] - Creating database: appwrite... appwrite | [Setup] - Server database init completed... appwrite | Server started successfully (max payload is 6,291,456 bytes) appwrite | Master pid 1, manager pid 8

Now, I'm screwed - I copied back the original yml file for the traefik config and I still get HTTP 400!

Nothing else?

Nothing else

Seems like setting the cipher suite in the config file screwed up something... I can't get back the original state... is there a way to check why I'm getting this "Swoole" error?

It should be showing up in the appwrite container logs

https://discordapp.com/channels/564160730845151244/1216981020281278485

Did you have rebuilt the containers after making the changes?

No, for all my changes mentioned in my earlier post, I just had to docker-compose up/down