Configure clientAuth (mTLS) for docker container

hamphh · March 19, 2025, 5:26pm

Hi there, I want to secure a route to a docker container with clientAuth. With following config in my dynamic config, everything works:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/xxx.crt
        keyFile: /certs/xxx.key
  options:
    default:
      clientAuth:
        clientAuthType: RequireAndVerifyClientCert
        caFiles:
          - /certs/myCA.pem

But I want to enable clientAuth only for a special container. So I have following config:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/xxx.crt
        keyFile: /certs/xxx.key
  options:
    mtls:
      clientAuth:
        clientAuthType: RequireAndVerifyClientCert
        caFiles:
          - /certs/myCA.pem

In my docker compose for the special container I have following label:

- traefik.http.routers.xxx.tls.options=mtls@file

In the dashboard it looks good:

But when opening the routed site no client certificate is requested.

hamphh · March 20, 2025, 9:27am

I found it myself. For others who have the same problem:
My router rule label only contained a PathPrefix. If I add the host, the mtls option works:

traefik.http.routers.xxx.rule=Host(`xxx.com`) && PathPrefix(`/xxx`)

Topic		Replies	Views
Client Authentication (mTLS) in Cli format for docker Traefik v2 docker , cli	1	474	May 11, 2023
Configuring mTLS Traefik v2 docker , docker-swarm	1	1176	November 24, 2021
Mutual Authentication in Docker Traefik v2 docker , docker-swarm	7	2259	January 18, 2021
Cannot get the mTLS to work Traefik v2 docker	3	95	September 20, 2024
Reliably set TLS options with the docker provider Traefik v2 docker	1	1505	April 3, 2022

Configure clientAuth (mTLS) for docker container

Related topics