I am new to Traefik and I am attempting to configure mTLS. I will post what I think is enough of my configuration but if I need to post more please just ask. My issue is I get no errors with my deployment but I also am never prompted to provide a client certificate when browsing to the dashboard. It seems as if I have an association problem between my TLS configuration and applying it properly? I am running Traefik in Docker Swarm by mounting the traefik.yml and I am successfully retrieving certificates from Let's Encrypt.
- traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
providers:
docker:
swarmMode: true
exposedByDefault: false
metrics:
prometheus:
addEntryPointsLabels: true
addRoutersLabels: true
addServicesLabels: true
entryPoint: metrics
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
certificatesResolvers:
myresolver:
acme:
email: name@domain.com
storage: acme.json
tlsChallenge: {}
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
http:
tls:
options: mtls
api:
dashboard: true
accessLog:
bufferingSize: 100
http:
routers:
dash:
tls:
options: default
tls:
options:
mtls:
clientAuth:
caFiles:
- /ca.crt
clientAuthType: RequireAndVerifyClientCert
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
- Docker Swarm stack file
version: "3.3"
services:
traefik:
image: traefik:v2.5
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
configs:
- source: traefik_v7
target: /etc/traefik/traefik.yml
- source: ca_crt
target: /ca.crt
deploy:
labels:
- traefik.enable=true
- traefik.http.routers.dash.rule=Host(`my.domain.com`)
- traefik.http.routers.dash.entrypoints=websecure
- traefik.http.routers.dash.tls.certresolver=myresolver
- traefik.http.routers.dash.service=api@internal
- traefik.http.services.dash.loadbalancer.server.port=80
placement:
constraints:
- node.role==manager
- node.labels.traefik==true