Reject no named request

Hi community:

I've noticed that if you make a TLS connection to port 443 on the load balancer IPs to anything other than the configured host in Traefik, e.g. by IP or another server name, the connection is being secured with a self-signed traefik SSL cert.

I'm trying to reject this kind of requests in order to increase the security in my kubernetes cluster hosted in Amazon with Traefik v1.7.14.

When I execute the next command the default traefik certificate appears:

openssl s_client -connect <public_ip>:443 | openssl x509 -noout -text

depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <Serial Number>
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=TRAEFIK DEFAULT CERT
        Validity
            Not Before: <Date> GMT
            Not After : <Date> GMT
        Subject: CN=TRAEFIK DEFAULT CERT

I would like to reject all request that does not use the configured host in Traefik.
Could be this possible in traefik configuration?

It is my configuration:

        args:
        - --api
        - --kubernetes
        - --accesslog
        - --logLevel=INFO
        - --entrypoints=Name:http Address::80
        - --entrypoints=Name:https Address::443 TLS
        - --acme
        - --acme.acmelogging
        - --acme.dnschallenge
        - --acme.dnschallenge.provider=route53
        - --acme.dnschallenge.delayBeforeCheck=0
        - --acme.domains=<domain>
        - --acme.onhostrule
        - --acme.entrypoint=https
        - --acme.storage=acme.json

Please, if you need more info let me know.

Regards and congrats for the great job.

Hello @eduQuobis,

Please see the SNI Strict setting:
https://docs.traefik.io/v1.7/configuration/entrypoints/#strict-sni-checking

Hello @daniel.tomcej :

Thanks for you quick response.
I added this config to traefik following your advice but it does not work:

    defaultEntryPoints = ["http"]
    [entryPoints]
      [entryPoints.http]
        # port for http entrypoint that traefik listens on
        address = ":80"
      [entryPoints.https.tls]
        sniStrict = true
        MinVersion = "VersionTLS12"
        # https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
        # https://cipherli.st/
        CipherSuites = ["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AE\
S_128_GCM_SHA256"]

I obtained the same result again:

openssl s_client -connect <public_ip>:443 | openssl x509 -noout -text
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            da:5f:8b:de:f9:47:aa:54:ea:7d:25:7f:d8:4f:fc:6b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = TRAEFIK DEFAULT CERT
        Validity
            Not Before: Aug 27 22:36:22 2019 GMT
            Not After : Aug 26 22:36:22 2020 GMT
        Subject: CN = TRAEFIK DEFAULT CERT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bd:3a:0a:a2:14:93:49:63:75:4f:ae:d6:b5:65:
                    bf:dc:dc:32:80:c1:9b:fc:41:76:42:04:07:90:a3:
                    f0:c8:04:24:2f:25:4b:44:b3:91:10:e8:98:de:ee:
                    ef:5f:11:87:2c:de:43:4f:13:6f:00:ca:30:6b:f0:
                    6f:d3:7b:b8:5d:6f:51:1a:31:7a:65:83:fa:5c:91:
                    06:fe:fb:7d:ae:f5:c1:d3:ec:99:ae:1a:c8:27:58:
                    72:89:2f:d4:b9:e5:7a:18:7a:5a:b1:01:b9:2c:9c:
                    7b:75:ab:7c:47:53:2d:14:83:75:e3:3e:df:78:17:
                    c5:0e:de:dc:0b:68:fc:76:dc:d5:73:1d:f7:3b:f6:
                    c0:e9:77:df:9d:12:9a:a1:06:53:80:07:43:60:f1:
                    02:7b:cf:12:97:d8:cd:f9:00:0a:b2:41:18:db:d9:
                    a9:f1:1f:6e:0e:2d:21:6b:bc:d2:2b:ec:78:b0:c8:
                    57:76:1a:d8:98:2f:09:29:4c:02:6d:be:9c:cd:4f:
                    d6:74:fd:de:67:60:6e:6e:8b:ef:7b:e6:ec:d6:e0:
                    c3:04:7c:d4:0e:01:52:ed:45:1a:9f:b7:1f:1a:aa:
                    b2:d5:f9:d6:7c:4a:ee:80:9a:ec:11:3a:a8:0e:5d:
                    b5:99:25:73:0b:e2:f5:67:b2:78:5c:40:58:fb:98:
                    5a:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:031d441e860e2d124b4c9a7fc8c4ada5.33df6386621b82389d72106d84587c79.traefik.default
    Signature Algorithm: sha256WithRSAEncryption
         a9:b2:d1:73:75:0d:c1:b7:41:7c:42:d1:50:64:bf:a0:98:d1:
         31:62:05:dd:e0:82:e2:06:a7:30:65:23:99:f9:6e:6e:d9:e9:
         ba:6e:db:f6:4b:ac:7b:ed:8f:98:e9:5d:e0:c1:47:e5:7e:fc:
         b5:59:f4:2f:1f:3e:16:2b:cf:19:bb:32:69:9b:04:8d:e2:d8:
         21:66:1e:0e:3f:d2:80:40:2d:74:b1:3c:ce:2e:4b:c6:cf:26:
         ab:a9:63:a7:1f:98:f3:b6:e2:8f:0e:4c:da:42:22:d7:78:e3:
         4d:0d:33:59:cc:c8:3e:08:07:c9:d5:a1:78:27:1d:3a:d2:e2:
         a7:be:6b:ee:0e:1d:b8:de:cd:24:17:2a:bd:5b:00:f1:05:ef:
         8d:6e:19:bb:e2:9f:17:9c:08:b8:b2:5d:f3:87:a4:6a:05:39:
         00:a3:0f:b5:04:29:5a:b1:99:fb:b0:b1:0a:25:57:1b:dc:c2:
         0b:81:2e:db:d4:92:86:4d:94:e1:14:96:62:0f:22:44:6d:7d:
         7b:10:e4:19:c1:c4:05:10:3b:93:ff:4d:1c:bc:43:9a:6a:74:
         89:d3:0b:e9:85:fc:7a:30:38:ad:3a:4c:70:2c:e5:98:ee:69:
         05:68:77:d2:34:ff:c8:39:d3:13:3e:fe:dc:8e:4e:55:a1:84:
         c3:4f:27:49

This is the log from the beginning:

time="2019-08-27T22:34:23Z" level=info msg="Using TOML configuration file /config/traefik.toml"
time="2019-08-27T22:34:23Z" level=info msg="Traefik version v1.7.14 built on 2019-08-14_09:46:58AM"
time="2019-08-27T22:34:23Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0003044a0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server https &{Address::443 TLS:0xc00060c2d0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000304560} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :80"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000304800} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :443"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :8080"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"<myEmail>\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"route53\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":[{\"Main\":\"<publicURL>\",\"SANs\":[\"*.<publicURL>\"]}],\"Store\":{}}"
time="2019-08-27T22:34:23Z" level=info msg="Testing certificate renew..."
time="2019-08-27T22:34:23Z" level=info msg="ingress label selector is: \"\""
time="2019-08-27T22:34:23Z" level=info msg="Creating in-cluster Provider client"
time="2019-08-27T22:34:23Z" level=info msg="The key type is empty. Use default key type 4096."
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :8080"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :8080"
time="2019-08-27T22:34:26Z" level=info msg=Register...
time="2019-08-27T22:34:26Z" level=info msg="legolog: [INFO] acme: Registering account for <myEmail>"
time="2019-08-27T22:34:26Z" level=info msg="legolog: [INFO] [<publicURL>, *.<publicURL>] acme: Obtaining bundled SAN certificate"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/83148831"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/83148832"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: use dns-01 solver"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Could not find solver for: tls-alpn-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Could not find solver for: http-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: use dns-01 solver"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Preparing to solve DNS-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:04Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Preparing to solve DNS-01"
time="2019-08-27T22:35:04Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:24Z" level=error msg="vulcand/oxy/forward/websocket: Error when copying from client to backend: websocket: close 1006 (abnormal closure): unexpected EOF"
100.96.2.0 - - [27/Aug/2019:22:34:24 +0000] "GET /xmpp-websocket HTTP/1.1" 0 0 "-" "-" 1 "http-https_uc.<publicURL>/xmpp-websocket" "http://100.96.1.157:5280" 59969ms
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Trying to solve DNS-01"
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Checking DNS record propagation using [100.64.0.10:53]"
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [*.<publicURL>] The server validated our request"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Trying to solve DNS-01"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Checking DNS record propagation using [100.64.0.10:53]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] The server validated our request"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Cleaning DNS-01 challenge"
time="2019-08-27T22:35:43Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:36:16Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Cleaning DNS-01 challenge"
time="2019-08-27T22:36:16Z" level=info msg="legolog: [INFO] [<publicURL>, *.<publicURL>] acme: Validations succeeded; requesting certificates"
time="2019-08-27T22:36:22Z" level=info msg="legolog: [INFO] [<publicURL>] Server responded with a certificate."
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :8080"

Regards and thanks for the support.

Hello @daniel.tomcej:

Do you think that there is a configuration issue?
I would like to test any changes in my deployment to try to solve it.

I'm using Let’s Encrypt certificates that are working fine if I include the servername in my request:

openssl s_client -connect <public_ip>:443 --servername <public_server_name> | openssl x509 -noout -text

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = <public_server_name>
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:f6:03:ac:a1:96:79:80:cb:df:c1:12:f3:61:d2:f5:4b:b0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Aug 29 05:55:33 2019 GMT
            Not After : Nov 27 05:55:33 2019 GMT
        Subject: CN = <public_server_name>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

....

If you prefer DEBUG logs instead of INFO or you think that I can create another request in other channel, please let me know.

Thank you so much for your support.
Regards.