mTLS Between Client and Backend Server via Traefik

Hi,

Is it possible to establish a mTLS HTTPS session between the Client and the Backend Service, routed via Traefik (end to end TLS):

Have been using an IngressRoute (rather than IngressRouteTCP). The passtlscert middleware is sending the client cert data to the auth-server correctly:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tls
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`endservice.myserver.com`)
    middlewares:
    - name: passtlscert
    - name: liu-auth
    services:
    - name: endservice-svc
      port: 4431
  tls:
    options:
      default:
        clientAuth:
          clientAuthType: RequireAnyClientCert
    passthrough: true

The endservice has nginx in front and responds with "No required SSL certificate was sent"

Don't believe this to be a bug, but more of an issue with either the setup or my expectations of functionality that does not as yet exist..?

I am not using LetsEncrypt for the certificates, they are issued through a self hosted CA.

Achievable using a TCP Router, however now no facility to use forwardAuth:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  creationTimestamp: "2020-06-30T12:50:04Z"
  generation: 4
  name: biftcp
spec:
  entryPoints:
  - websecure
  routes:
  - match: HostSNI(`anapi.somewhere.com`)
    services:
    - name: app-example
      port: 5555
  tls:
    passthrough: true

Hopefully this will be added functionality in the next version to drop

1 Like