Disable SSL/TLS on specific entryPoints (eg. ":80")

Hi there,

The goal is to disable SSL/TLS for a specific entryPoint, for example the web :80 entryPoint. By default traefik 2.x is offering SSL/TLS negotiation on any declared entryPoint, which can be undesirable for some.

traefik.yml:

entryPoints:
  http-v4:
    address: ":80"
  https-v4:
    address: ":443"

providers:
  file:
    directory: /etc/traefik/dynamic/

dynamic/default.yml;

http:
  routers:
    test:
      entryPoints:
        - http-v4
        - https-v4
      rule: "HostRegexp(`{host:.*}`)"
      service: hello

  services:
    hello:
      loadBalancer:
        servers:
          - url: http://hello:80

Results of localhost:

% openssl s_client -connect localhost:80
CONNECTED(00000005)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT
[...]

% openssl s_client -connect localhost:443
CONNECTED(00000005)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT
[...]

Results of community.traefik.io:

% openssl s_client -connect community.traefik.io:80 
CONNECTED(00000005)
4608577196:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
[...]

% openssl s_client -connect community.traefik.io:443
CONNECTED(00000005)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=*.discourse.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
[...]

Is there any way to disable SSL/TLS on specific entryPoints?

Thank you!

Cheers,
Sven

1 Like

I would like to know too, because in several webscans they point out problems with our ports 80, being that we only redirect to port 443 and I have no idea how to solve this. Disabling TLS for port 80 would resolve all issues.

Nobody?? We have the same issue...