Problem with overriding some default TLS options

I apologize in advance if this issue has already been answered, but I could not find anything about it.

I use traefik version 2.2.1.

I have 2 routes safe.example.com and example.com each pointing to a different service: the first one is supposed to require a client certificate while the other does not.

I also want to use let'encrypt to obtain a certificate valid for both routes: CN: example.com, SAN: example.com, safe.example.com.

Traefik has two entrypoint: web (http) and websecure (https). The web entrypoint just redirects all the requests to websecure.

I would expect that the safe route to require a client certificate (safe TLS option) without compromising the certificate resolver (default TLS option): when I set the TLS option field at the router level, from what I read in the documentation https://docs.traefik.io/v2.2/routing/entrypoints/#tls the default configuration (applied at the entrypoint level) will not be applied at all. Am I right?

I did not want to mess up my configuration so before trying to apply this I wanted to be extra sure by asking here. Thanks in advance for your awesome work.

Here's my configuration:

static configuration:


[providers]

[providers.file]

directory = "/etc/traefik/dynamic/"

watch = true

[entryPoints]

[entryPoints.web]

address = ":80"

[entryPoints.web.http.redirections]

[entryPoints.web.http.redirections.entryPoint]

to = "websecure"

[entryPoints.websecure]

address = ":443"

[entryPoints.websecure.http.tls]

options = "default"

certResolver = "letsenc"

[[entryPoints.websecure.http.tls.domains]]

main = "example.com"

sans = ["safe.example.com"]

[api]

insecure = false

dashboard = true

debug = false

[certificatesResolvers]

[certificatesResolvers.letsenc]

[certificatesResolvers.letsenc.acme]

email = "admin@example.com"

storage = "/etc/traefik/acme.json"

[certificatesResolvers.letsenc.acme.httpChallenge]

entryPoint = "web"

[tls.options]

[tls.options.default]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

]

[tls.options.safe]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

]

[tls.options.safe.clientAuth]

caFiles = ["/etc/traefik/certs/ca.cert.pem"]

clientAuthType = "RequireAndVerifyClientCert"

dynamic configuration:


[http.routers]

[http.routers.app]

rule = "Host(`example.com`)"

service = "app"

entryPoints = ["websecure"]

[http.routers.safe]

rule = "Host(`safe.example.com`)"

service = "safe"

entryPoints = ["websecure"]

[http.routers.safe.tls]

options = "safe"

[http.services]

[http.services.app.loadBalancer]

[[http.services.app.loadBalancer.servers]]

url = "http://app:3000"

[http.services.safe.loadBalancer]

[[http.services.safe.loadBalancer.servers]]

url = "http://safe:3000"

Thank you for an interesting question. Now, I'll take my stab at it, but please be aware, that this is based on my general understanding how traefik works, that is it is not a practical knowledge from experience. If a developer or someone with this experience can confirm this, that would be great.

So you are asking:

https://docs.traefik.io/v2.2/routing/entrypoints/#tls the default configuration (applied at the entrypoint level) will not be applied at all. Am I right?

Now, one thing to understand, is that default configuration has nothing to do with "default" TLS options. For TLS options, default is just a name, it does not have a special meaning, same as safe

What that documentation sentence means, is that first, when traefik came out you had to apply TLS configuration on every router individually. Many people asked for an option to apply it to an entry point wholesale as was possible in v1. So this is about that. You can specify a TLS configuration, that goes to every router by specifying it for the entry point. But if any of the routers has any of the TLS configuration fields, that the defaults from the entry point do not apply to that router. If you want to customise TLS configuration for a router, you need to provide a complete TLS configuration for it, it will not be merged with the entry point TLS configuration.

Hope this explains it.

I also would like to point out that tls.options is dynamic configuration, not static.

If that's really the case, too bad, I guess I'll just have one certificate for the routes that need the certificate authentication and another one for those which don't. Let's see if someone can provide a real-life answer, anyway thanks for your clarification.

Well server certificates should not be a problem. Traefik will happily re-use them

Indeed but I'll need to duplicate the TLS configuration.

It's just a few lines that you need to duplicate once, I, personally, do not perceive it as a problem.

You're right, it's not that big of a deal. Thanks again.