Hi,
Thanks to a PCI scan I've just realized that my configuration allows HTTP queries to the 443 port.
Traefik is deployed as a daemon set behind a Network Load Balancer with proxy protocol v2 enabled
--log.level=INFO
--entrypoints.web.address=:8000/tcp
--entrypoints.websecure.address=:8443/tcp
--entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8
--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8
--providers.kubernetescrd
--providers.kubernetesingress
--providers.kubernetesingress.ingressendpoint.publishedservice=system/traefik
--entrypoints.websecure.http.tls=true
The ingress has these annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure"
traefik.ingress.kubernetes.io/router.middlewares: "namespace-headers@kubernetescrd,namespace-regexredirect@kubernetescrd"
All HTTP>>HTTPS redirections are working correctly, but if you send an HTTP request to port 443, Traefik will answer with its default 404:
➜ curl -vi http://fakedomain.com:443
* Trying X.X.X.X:443...
* Connected to fakedomain.com (X.X.X.X) port 443 (#0)
> GET / HTTP/1.1
> Host: fakedomain.com:443
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Thu, 16 Mar 2023 14:37:48 GMT
Date: Thu, 16 Mar 2023 14:37:48 GMT
< Content-Length: 19
Content-Length: 19
<
404 page not found
* Connection #0 to host fakedomain.com left intact
This also happens the other way around:
➜ curl -vLi https://fakedomain.com:80
* Trying X.X.X.X:80...
* Connected to fakedomain.com (X.X.X.X) port 80 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=fakedomain.com
* start date: Feb 9 12:42:39 2023 GMT
* expire date: May 10 12:42:38 2023 GMT
* subjectAltName: host "fakedomain.com" matched cert's "*.fakedomain.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b6aa7a02e0)
> GET / HTTP/2
> Host: fakedomain.com:80
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
HTTP/2 404
< content-type: text/plain; charset=utf-8
content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
x-content-type-options: nosniff
< content-length: 19
content-length: 19
< date: Thu, 16 Mar 2023 14:44:33 GMT
date: Thu, 16 Mar 2023 14:44:33 GMT
<
404 page not found
* Connection #0 to host fakedomain.com left intact
I've tried a few other configurations of redirectscheme and redirectregex middlewares but I'm not able to block HTTP requests to the websecure EntryPoint.
How can I always enforce the HTTPS scheme? Is there any way to tie a scheme to an entrypoint?
Thank you.