Welcome!
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What did you do?
I was following Cloudflare mTLS guide to make my server only accept requests from Cloudflare using mTLS
I followed the Declaring and referencing a TLSOption
section in this and used the following manifests to config my traefik. Because the cloudflare CA is public info, so I can put the secret here.
---
# Source: traefik-ingress/templates/traefik-ingress.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test
namespace: "goldilocks"
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`dev-goldilocks-test.company.dev`)
services:
- name: goldilocks-dashboard
port: 80
tls:
secretName: es-cf-company-dev-tls-cert
options:
name: tls-option
namespace: "goldilocks"
---
# Source: traefik-ingress/templates/tls-option.yaml
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: tls-option
namespace: "goldilocks"
spec:
clientAuth:
# the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
secretNames:
- es-cf-authenticated-origin-pull-ca
clientAuthType: RequireAndVerifyClientCert
---
apiVersion: v1
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdDakNDQS9LZ0F3SUJBZ0lJVjVHNmxWYkNMbUV3RFFZSktvWklodmNOQVFFTkJRQXdnWkF4Q3pBSkJnTlYKQkFZVEFsVlRNUmt3RndZRFZRUUtFeEJEYkc5MVpFWnNZWEpsTENCSmJtTXVNUlF3RWdZRFZRUUxFd3RQY21sbgphVzRnVUhWc2JERVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeVlXNWphWE5qYnpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2CmNtNXBZVEVqTUNFR0ExVUVBeE1hYjNKcFoybHVMWEIxYkd3dVkyeHZkV1JtYkdGeVpTNXVaWFF3SGhjTk1Ua3gKTURFd01UZzBOVEF3V2hjTk1qa3hNVEF4TVRjd01EQXdXakNCa0RFTE1Ba0dBMVVFQmhNQ1ZWTXhHVEFYQmdOVgpCQW9URUVOc2IzVmtSbXhoY21Vc0lFbHVZeTR4RkRBU0JnTlZCQXNUQzA5eWFXZHBiaUJRZFd4c01SWXdGQVlEClZRUUhFdzFUWVc0Z1JuSmhibU5wYzJOdk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGhNU013SVFZRFZRUUQKRXhwdmNtbG5hVzR0Y0hWc2JDNWpiRzkxWkdac1lYSmxMbTVsZERDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0lQQURDQ0Fnb0NnZ0lCQU4yeTJ6b2pZZmwwYktmaHAwQUpCRmVWK2pRcWJDdzNzSG12RVB3TG1xRExxeW5JCjQydFpYUjV5OTE0WkI5WnJ3YkwvSzVPNDZleGQvTHVqSm5WMmIzZHpjeDVydGlRenNvMHh6bGpxYm5iUVQyMGUKaWh4L1dyRjRPa1pLeWRaenNkYUpzV0FQdXBsREg1UDdKODJxM3JlODhqUWRnRTVocWpxRlozY2xDRzdseG9CdwpoTGFhem0zTkpKbFVmemRrOTdvdVJ2bkZHQXVYZDVjUVZ4OGpZT09lVTYwc1dxbU1lNFFIZE92cHFCOTFiSm9ZClFTS1ZGalVnSGVUcE44dE5wS0pmYjlMSW4zcHVuM2JDOU5LTkh0UktNTlgzS2wvc0FQcTdxL0FsbmR2QTJLdzMKRGt1bTJtSFFVR2R6VkhxY09nZWE5QkdqTEsyaDdTdVg5M3pUV0wwMnU3OTlkcjZYa3JhZC9XU2hIY2hmampSbgphTDM1bmlKVURyMDJZSnRQZ3hXT2JzcmZPVTYzQjhqdUxVcGhXLzRCT2pqSnlBRzVsOWoxLy9hVUdFaS9zRWU1CmxxVnYwUDc4UXJ4b3hSK01NWGlKd1FhYjVGQjhURy9hYzZtUkhnRjlDbWtYOTB1YVJoK09DMDdYalRkZlNLR1IKUHBNOWhCMlpoTG9sL25mOHFtb0xkb0Q1SHZPRFp1S3UyK211S2VWSFhndzIvQTZ3TTdPd3JpbnhaaXlCazVIaApDdmFBREg3UFpwVTZ6L3p2NU5VNUhTdlhpS3RDekZ1RHU0L1pmaTM0UmZIWGVDVWZIQWI0S2ZOUlhKd01zeFVhCis0WnBTQVgyRzZSbkdVNW1ldVhwVTUvVitEUUpwL2U2OVh5eVk2UlhEb015d2FFRmxJbFhCcWpSUkEycEFnTUIKQUFHalpqQmtNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVNCZ05WSFJNQkFmOEVDREFHQVFIL0FnRUNNQjBHQTFVZApEZ1FXQkJSRFdVc3JhWXVBNFJFemFsZk5Wemphbm4zRjZ6QWZCZ05WSFNNRUdEQVdnQlJEV1VzcmFZdUE0UkV6CmFsZk5Wemphbm4zRjZ6QU5CZ2txaGtpRzl3MEJBUTBGQUFPQ0FnRUFrUStUOW5xY1NsQXVXLzkwRGVZbVFPVzEKUWhxT29yNXBzQkVHdnhiTkdWMmhkTEpZOGg2UVVxNDhCQ2V2Y01DaGcvTDFDa3puQk5JNDBpMy82aGVEbjNJUwp6VkV3WEtmMzRwUEZDQUNXVk1aeGJRamtOUlRpSDhpUnVyOUVzYU5RNW9YQ1BKa2h3ZzIrSUZ5b1BBQVlVUm9YClZjSTlTQ0RVYTQ1Y2xtWUhKL1hZd1YxaWNHVkk4LzliMkpVcWtsbk9UYTV0dWd3SVVpNXNUZmlwTmNKWEhoZ3oKNkJLWURsMC9VUDBsTEtic1VFVFhlVEdEaURweFpZSWdiY0ZyUkREa0hDNkJTdmRXVkVpSDViOW1IMkJPTjYwegowTzBqOEVFS1R3aTlqbmFmVnRaUVhQL0Q4eW9Wb3dkRkRqWGNLa09QRi8xZ0loOXFyRlI2R2RvUFZnQjNTa0xjCjV1bEJxWmFDSG01NjNqc3ZXYi9rWEpubEZ4VysxYnNPOUJERDZEd2VCY0dkTnVyZ21INjI1d0JYa3NTZEQ3eS8KZmFrazhEYWdqYmpLU2hZbFBFRk9BcUVjbGl3akY0NWVhYkwwdDI3TUpWNjFPL2pIekhMM2RrblhlRTRCRGEyagpiQStKYnlKZVVNdFU3S01zeHZ4ODJSbWhxQkVKSkRCQ0ozc2NWcHR2aERNUnJ0cURCVzVKU2h4b0FPY3BGUUdtCmlZV2ljbjQ2blBEamdUVTBiWDFaUHBUcHJ5WGJ2Y2lWTDVSa1ZCdXlYMm50Y09MRFBsWldneFpDQnA5NngwN0YKQW5PektnWms0UnpaUE5BeENYRVJWeGFqbi9GTGNPaGdsVkFLbzVIMGFjK0FpdGxRMGlwNTVEMi9tZjhvNzJ0TQpmVlE2VnB5akVYZGlJWFdVcS9vPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
immutable: false
kind: Secret
metadata:
name: es-cf-authenticated-origin-pull-ca
namespace: goldilocks
type: Opaque
What did you see instead?
When I tried to access it with
curl -k -sv https://dev-goldilocks-test.company.dev
it was successful, but it shouldn't be, because I didn't present the certificate the traefik
What version of Traefik are you using?
I used the traefik helm chart
chart: traefik/traefik
version: 10.19.5
What is your environment & configuration?
logs:
general:
level: INFO
access:
enabled: true
ports:
websecure:
tls:
enabled: true
providers:
kubernetesIngress:
publishedService:
enabled: true
ingressRoute:
dashboard:
enabled: false