From 145273c35cbf71a88deb9081408c1461f7aafb59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Thu, 6 Nov 2025 18:32:38 +0100
Subject: [PATCH] fix: remove global TLS options to resolve Traefik startup
 race condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removed the global `--entrypoints.web-secure.http.tls.options=default@file`
configuration from proxy/compose.yaml that was causing "unknown TLS options"
errors during Traefik startup.

The issue occurred because Traefik attempted to apply TLS options to all
routers before the file provider finished loading security.yaml, creating
a race condition. Services now use Let's Encrypt certificates without
explicit TLS options at the entrypoint level.

The TLS security settings (minimum TLS 1.2, strong cipher suites, etc.)
remain defined in proxy/dynamic/security.yaml and can be applied to
individual services via their router configurations if needed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 proxy/compose.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/proxy/compose.yaml b/proxy/compose.yaml
index cd4d7fb..219bd62 100644
--- a/proxy/compose.yaml
+++ b/proxy/compose.yaml
@@ -41,8 +41,7 @@ services:
       - '--entrypoints.web.http.redirections.entryPoint.scheme=https'
       - '--entrypoints.web.http.redirections.entryPoint.permanent=true'
 
-      # TLS Security Options
-      - '--entrypoints.web-secure.http.tls.options=default@file'
+      # Security Headers (applied globally)
       - '--entrypoints.web-secure.http.middlewares=security-headers@file'
 
       # Let's Encrypt