I'm running traefik 2 in my docker swarm setup. For this I have 3 entrypoints: 2 for internal access (80 and 443) and another one
https_external on another port (9999?) that is exposed externally in the router.
Snip from compose file
As all the services exposed externally should be accessed only through Cloudflare, I've setup
cfcert tls options to require cloudflare origin client certificate
So far so good, given the flag
- --entrypoints.https_external.http.tls.options=cfcert@file all services bound to
https_external entrypoint default to
cfcert and in case I want to have one that does not require proxying through cloudflare, I can override tls.options at the service level.
The (minor) issue is that any direct request to my external port that does not match an existing service will fall into the 404 router, ignoring the entrypoint tls options.
I've tried changing the default tls option instead to require the CF client cert but then it applies to all entrypoints (including the 80/443 internal ones).
I've tried to create a
catch-all service but using
HostRegexp ignores tls option.
TL;DR; Is there any way to configure default 404 router tls options just for an entrypoint? (instead of modifying the default tls options)
Are you using strict SNI? That can stop unexpected domains at the TLS handshake.
Not sure how you are doing TLS certificates in your setup, given that a 404 is received it must be okay.
A catchall router using the https_external entrypoint can use a
PathPrefix(`/`) rule AND the tls options
Hey @cakiwi thanks for the quick reply!
I've tried making a catch all router but using
HostRegexp(.*) instead of the
PathPrefix(/). It worked as catch all as every requested ended up there but it didn't enforce the requirement of client cert.
PathPrefix seems to yield the same result (though I reckon it should be a lighter match than a Regexp hehe)
I got the same warning as with HostRegexp:
time="2021-07-24T01:57:42Z" level=warning msg="No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the hostSNI of each request" entryPointName=https_external routerName=whoamitest2@docker
Then also added the
tls.option as you suggested even though it was already the default option for that entrypoint.
But it still doesn't work. It catches all requests (any cname pointing to my IP), but does not require
Here are my labels:
testit (with invalid tls.option so it falls back to global default) both through and without cloudflare works. as expected.
testit-cf (which uses
cfcert@file as it doesn't any tls.option set: works through cloudflare, get locked skipping cloudflare. as expected
random-garbage (that resolves to same IP but is not bound to any service) does go this service (catchall) but works via CF or without. Not expected as endpoint has
cfcert@file as tls.options and the service itself also has it explicity (as you suggested).
any more tips?