Hi,
I have a question. Is it somehow possible to define mtls options based on path rules?
In our environment we want to use traefik to provide access to some grpc services and our legacy java application (tomcat based).
This java application has some URLs (like /manage) which needs client cert support and some URLs (like /api) which should not use client certificates.
So the question is can I configure traefik to use different tls options for the same host but different URLs paths?
Thanks in advance
Alex
Im a little out of my lane on this (never done it before), but you might be able to match on host and URI separately, and then set the TLS options from there.
some pseudo-code with labels
# Dynamic configuration
tls:
options:
my-certs:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
- tests/clientca1.crt
- tests/clientca2.crt
clientAuthType: RequireAndVerifyClientCert
service1:
labels:
- traefik.http.routers.example.rule=(Host(`example.com`) && Path(`/api'))
- traefik.http.routers.example.tls=true
# lets just assume letsencrypt here
- traefik.http.routers.example.tls.certresolver=le
- traefik.http.services.example.loadbalancer.server.port=8000
service2:
- traefik.http.routers.example2.rule=(Host(`example.com`) && Path(`/manage'))
- traefik.http.routers.example2.tls=true
- traefik.http.routers.example2.tls.certresolver=my-certs
- traefik.http.services.example2.loadbalancer.server.port=8000
I'm totally shooting from the hip on this one, but does that illustrate the idea?
Yes that's the idea.
I am not sure about the certresolver. I thought I need to set the tls.options (in this case) to my-certs.
But if I try to use different options for different routers on the same host I get a warning:
Found different TLS options for routers on the same host , so using the default TLS options instead for these routers