Multiple mtls options based on path rules

abrausch · February 24, 2020, 4:24pm

Hi,
I have a question. Is it somehow possible to define mtls options based on path rules?
In our environment we want to use traefik to provide access to some grpc services and our legacy java application (tomcat based).
This java application has some URLs (like /manage) which needs client cert support and some URLs (like /api) which should not use client certificates.
So the question is can I configure traefik to use different tls options for the same host but different URLs paths?

Thanks in advance
Alex

simplecto · February 24, 2020, 5:03pm

Im a little out of my lane on this (never done it before), but you might be able to match on host and URI separately, and then set the TLS options from there.

https://docs.traefik.io/routing/routers/#options_1

some pseudo-code with labels

# Dynamic configuration

tls:
  options:
    my-certs:
      clientAuth:
        # in PEM format. each file can contain multiple CAs.
        caFiles:
          - tests/clientca1.crt
          - tests/clientca2.crt
        clientAuthType: RequireAndVerifyClientCert

service1:
  labels:
            - traefik.http.routers.example.rule=(Host(`example.com`) && Path(`/api'))
            - traefik.http.routers.example.tls=true
            # lets just assume letsencrypt here
            - traefik.http.routers.example.tls.certresolver=le
            - traefik.http.services.example.loadbalancer.server.port=8000

service2:
            - traefik.http.routers.example2.rule=(Host(`example.com`) && Path(`/manage'))
            - traefik.http.routers.example2.tls=true
            - traefik.http.routers.example2.tls.certresolver=my-certs
            - traefik.http.services.example2.loadbalancer.server.port=8000

I'm totally shooting from the hip on this one, but does that illustrate the idea?

abrausch · February 24, 2020, 9:12pm

Yes that's the idea.
I am not sure about the certresolver. I thought I need to set the tls.options (in this case) to my-certs.
But if I try to use different options for different routers on the same host I get a warning:
Found different TLS options for routers on the same host , so using the default TLS options instead for these routers

fstorz · July 29, 2024, 3:23pm

You cannot use different clientAuth tls options on the same host/domain.
See e.g. here Traefik Routers Documentation - Traefik (-> Server Name Association) or Distinct mTLS (client certificate) authentication for multiple paths on the same host · Issue #9202 · traefik/traefik · GitHub

Topic		Replies	Views
MTLS on specific paths and/or HostRegexp Traefik v2 docker	1	852	April 29, 2020
2 TLS options for one domain Traefik v2 file	1	503	January 8, 2021
Many "found different TLS options for routers on the same host" errors Traefik v2 docker	3	1188	July 29, 2024
Restrict http url path using mtls Traefik v2 docker , file	3	1707	May 22, 2021
Client_auth conditional on PathPrefix Traefik v2 docker , middleware	0	572	March 28, 2022

Multiple mtls options based on path rules

Related topics