Is it possible to add mTLS on a specific rule containing HostRegexp and PathXXX. It seems to want a Host rule, and that adds it to the whole endpoint, which is not what I expected. Took a while before I found this in the documentation: "The options field enables fine-grained control of the TLS parameters. It refers to a TLS Options and will be applied only if a Host rule is defined." Ref: https://docs.traefik.io/routing/routers/ This should be mentioned on the mTLS section. Ref: https://docs.traefik.io/https/tls/ And also the tls seciotn should mention that you need HOST rule and that it is possible to define it with label e.g - "traefik.http.routers.whoami-clientcert.tls.options=mutual-auth-verify@file"
We are also facing this issue. It would be good if you can implement it.
Below is our use case issue:
Dynamic.toml tls options content
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites= [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
]
[tls.options.secure]
minVersion = "VersionTLS12"
cipherSuites= [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
]
[tls.options.secure.clientAuth]
clientAuthType = "RequestClientCert"
Ingress Annotations :-
traefik.ingress.kubernetes.io/router.tls.options: secure@file
Above annotation not honoring '[tls.options.secure.clientAuth]' if i set it to secure tls option.
But if I set it to default then it is working because as per documentation if nothing matches it will go to default tls option bcz it works on Host rule. https://docs.traefik.io/v2.2/routing/routers/#options
However if i set it to Host Rule then it is working as expected.
1 Like