I apologize in advance if this issue has already been answered, but I could not find anything about it.
I use traefik version 2.2.1.
I have 2 routes safe.example.com
and example.com
each pointing to a different service: the first one is supposed to require a client certificate while the other does not.
I also want to use let'encrypt to obtain a certificate valid for both routes: CN: example.com
, SAN: example.com, safe.example.com
.
Traefik has two entrypoint: web
(http) and websecure
(https). The web
entrypoint just redirects all the requests to websecure
.
I would expect that the safe
route to require a client certificate (safe
TLS option) without compromising the certificate resolver (default
TLS option): when I set the TLS option field at the router level, from what I read in the documentation https://docs.traefik.io/v2.2/routing/entrypoints/#tls the default configuration (applied at the entrypoint level) will not be applied at all. Am I right?
I did not want to mess up my configuration so before trying to apply this I wanted to be extra sure by asking here. Thanks in advance for your awesome work.
Here's my configuration:
static configuration:
[providers]
[providers.file]
directory = "/etc/traefik/dynamic/"
watch = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
options = "default"
certResolver = "letsenc"
[[entryPoints.websecure.http.tls.domains]]
main = "example.com"
sans = ["safe.example.com"]
[api]
insecure = false
dashboard = true
debug = false
[certificatesResolvers]
[certificatesResolvers.letsenc]
[certificatesResolvers.letsenc.acme]
email = "admin@example.com"
storage = "/etc/traefik/acme.json"
[certificatesResolvers.letsenc.acme.httpChallenge]
entryPoint = "web"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[tls.options.safe]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[tls.options.safe.clientAuth]
caFiles = ["/etc/traefik/certs/ca.cert.pem"]
clientAuthType = "RequireAndVerifyClientCert"
dynamic configuration:
[http.routers]
[http.routers.app]
rule = "Host(`example.com`)"
service = "app"
entryPoints = ["websecure"]
[http.routers.safe]
rule = "Host(`safe.example.com`)"
service = "safe"
entryPoints = ["websecure"]
[http.routers.safe.tls]
options = "safe"
[http.services]
[http.services.app.loadBalancer]
[[http.services.app.loadBalancer.servers]]
url = "http://app:3000"
[http.services.safe.loadBalancer]
[[http.services.safe.loadBalancer.servers]]
url = "http://safe:3000"