Best way to handle TLS encryption with Traefik

Hi there,

We are currently using Traefik to support a wide range of microservices. the way our set up is currently architected is that we have envoy to envoy communication with Traefik sitting in the middle of the to facilitate how requests are redirected. Our traefik app is currently configured to use a host header to redirect requests to other microservices envoy container.

The question now becomes: We need to encrypt all traffic within this network. The best possible outcome for us as we see if is shipping self signed certs that we can use to the envoys for encyption and decryption as well as Traefik for tls termination at the proxy layer to read the headers.

This seems like it would work, however, we would like a way for avoiding early termination at traefik. I notice the docs say that currently that feature is provided with a tls passthrough flag. Would this be our best cause of action in this case?

Hello @cmwaura

Thanks for using Traefik and posting the question.

We have just discussed that topic internally and I am not sure if we correctly understood the sentence "envoy to envoy communication" with Traefik in the middle. Would you please provide more details concerning that?

If TLS passthrough will be set to true the Traefik will pass the request to the lower layer and will not add anything to the request. TLS termination will be also managed on the lower layer of the backend.

I hope that helps.