Client Authentication (mTLS) on an entrypoint

espenmy · December 1, 2020, 1:59pm

I want to have Client Authentication (mTLS) on an entrypoint (all routers) regardless if the entrypoint is contacted using IP or Hostname. I tried following the documentations found here: https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls However using .default here has the undesired effect of enabling clientauth on all entrypoints, which is not what I want. Also is it impossible to enable mTLS on a route unless there is a rule including host? Using rule = "HostRegexp({host:.+}) && PathPrefix(/whoamica/)" does not work, I get an error saying "No domain found in rule HostRegexp({host:.+}) && PathPrefix(/whoamica/), the TLS options applied for this router will depend on the hostSNI of each request" Any pointers greatly appreciated.

jbd · December 2, 2020, 8:59am

Hi @espenmy,

Thanks for your interest in Traefik
In this case,
I would apply the mtls configuration as the default TLS options configuration and define another TLS options configuration that I would apply on other entrypoints.
As you said, tls options is applied regarding the Host rule and not the HostRegex one.

Topic		Replies	Views
Default TLS options without Host Traefik v2 (latest) kubernetes-crd	2	702	September 6, 2022
MTLS on specific paths and/or HostRegexp Traefik v2 (latest) docker	1	706	April 29, 2020
Enable TLS for all routes by default Traefik v2 (latest) docker	2	914	March 13, 2020
mTLS Between Client and Backend Server via Traefik Traefik v2 (latest) kubernetes-ingress	1	1484	June 30, 2020
No mutual TLS, but client is still present certificate Traefik v2 (latest) kubernetes-ingress	2	507	October 18, 2021

Client Authentication (mTLS) on an entrypoint

Related Topics