Disable SSL/TLS on specific entryPoints (eg. ":80")

Hi there,

The goal is to disable SSL/TLS for a specific entryPoint, for example the web :80 entryPoint. By default traefik 2.x is offering SSL/TLS negotiation on any declared entryPoint, which can be undesirable for some.

traefik.yml:

entryPoints:
  http-v4:
    address: ":80"
  https-v4:
    address: ":443"

providers:
  file:
    directory: /etc/traefik/dynamic/

dynamic/default.yml;

http:
  routers:
    test:
      entryPoints:
        - http-v4
        - https-v4
      rule: "HostRegexp(`{host:.*}`)"
      service: hello

  services:
    hello:
      loadBalancer:
        servers:
          - url: http://hello:80

Results of localhost:

% openssl s_client -connect localhost:80
CONNECTED(00000005)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT
[...]

% openssl s_client -connect localhost:443
CONNECTED(00000005)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT
[...]

Results of community.traefik.io:

% openssl s_client -connect community.traefik.io:80 
CONNECTED(00000005)
4608577196:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
[...]

% openssl s_client -connect community.traefik.io:443
CONNECTED(00000005)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=*.discourse.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
[...]

Is there any way to disable SSL/TLS on specific entryPoints?

Thank you!

Cheers,
Sven

I would like to know too, because in several webscans they point out problems with our ports 80, being that we only redirect to port 443 and I have no idea how to solve this. Disabling TLS for port 80 would resolve all issues.

Nobody?? We have the same issue...

Hello,

We have the same issue. Any suggestion?

Thanks,

Sezer

Ditto. Super annoying that Nessus scans spam us with errors because the :80 endpoint responds to SSL connections. SSL is handled on our load-balancer, I don't need traefik doing it.

It seems when setting up Traefik without any TLS, it will still respond to TLS requests.

version: '3.9'

services:
  traefik:
    image: traefik:v2.10
    ports:
      - 80:80
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      - --log.level=INFO
      - --accesslog=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

If you consider this a bug, you can open an issue on Traefik Github (link).