Reliably set TLS options with the docker provider

tchinchow · April 3, 2022, 4:13pm

Hello.

I know this topic has been discussed previously:

Traefik docker config for tls options - #2 by cakiwi
Docker dynamic settings for TLS not docummented · Issue #6489 · traefik/traefik · GitHub
TLS parameters from more dynamic providers and a default path for a no-config setup · Issue #5507 · traefik/traefik · GitHub
... and probably in many other posts.

I think I understand that TLS options cannot be defined through the docker provider (they can only be set to something defined elsewhere).

I also know how to configure mTLS on my service container by properly referencing an existing set of TLS options already defined in the traefik container's dynamic configuration.

The actual problem:

My question is about the actual reliability of setting the TLS options through docker labels.

Take the following docker-compose labels:

someservice:
  labels:
    - "traefik.http.routers.gatekeeper_whoamisecure.tls=true"
    - "traefik.http.routers.gatekeeper_whoamisecure.tls.certresolver=someresolver"
    - "traefik.http.routers.gatekeeper_whoamisecure.tls.options=someoptions@file"

If for some reason "someoptions@file" does not exist anywhere. Treafik only seems to report it as a debug message:

time="2022-04-03T12:47:28Z" level=debug msg="unknown TLS options: someoptions@file" entryPointName=websecure routerName=someservice@docker

Then the service starts and is served through TLS (hopefully) but it will NOT be configured as expected.

Why is it a problem ?

Let say that "someoptions@file" used to be a very strong mTLS configuration with client authentication... but it got reworked / renamed in the traefik container configuration...
... and we forgot to update each and every service container that depend on it. Shame on us but unfortunately I believe it is a quite common situation.

The service is exposed no matter what even though it is not properly configured.
Depending on the default configuration then the service gets exposed to every one while we expected it to be only available to mutually authenticated clients !
Last but not least: We do not get notified that the mTLS options were not found (and merely ignored).
Indeed: The "DEBUG" log level is not really reflecting that we face a major problem here...

What would I expect ?

Well clearly, I'd expect that either:

The service is not served at all when a configuration is wrong.
This would be equivalent as re-configuring this service container as if it had defined "traefik.enable=false"
Clearly and loudly log this ERROR in a proper log with an apropriate* log level.
*appropriate = ERROR _(or WARNING at a bare minimum).

Discussion:

Can someone help me find out the rationale behind the current Traefik behaviour ?
Why is it behaving like this ?
Is it worth submitting a bug/feature request or is it me who is completely out of line here ?

Thanx for you help !

tchinchow · April 3, 2022, 5:01pm

Just a simple reply/note to myself and other people who'd be interested:

Possible Mitigation

As a possible mitigation to avoid deception of the service container, you can define a default TLS policy that will never accept any client:

tls:
  options:
    #   Define a dummy CA which is a mere self-signed certificate whose
    # private key was properly shredded before it can sign anything else.
    #   This way, if for some reason Traefik does not find or implements
    # your docker labels properly, then you just won't be able to connect.
    default:
      maxVersion: VersionTLS13
      clientAuth:
        caFiles:
          - /home/traefik/pki/Dummy/RootCA/certs/ca.pem
        clientAuthType: RequireAndVerifyClientCert
    # Then you can define meaningful TLS configurations
    someConfig-mTls:
      clientAuth:
        # This is an actual CA:
          - /home/traefik/pki/Users/RootCA/certs/ca.pem
        clientAuthType: RequireAndVerifyClientCert
    someOtherConfig-mTls:
      clientAuth:
        # This is an other actual CA:
          - /home/traefik/pki/Admins/RootCA/certs/ca.pem
        clientAuthType: RequireAndVerifyClientCert
    no-mTls:
      clientAuth:
        clientAuthType: NoClientCert

Hence when you fail to properly refer to an existing TLS options-set in your service containers labels, TLS will default to a dummy configuration that requires client authentication against a CA that never issued any clients (and that will never be able to do so because you threw the private key away).

Topic		Replies	Views
Traefik docker config for tls options Traefik v2 (latest) docker , file	17	7662	February 16, 2021
Disable TLS 1.0 and 1.1 for docker Traefik v2 (latest) docker	8	8723	September 18, 2020
Common TLS config for all services Traefik v2 (latest) docker	12	359	June 13, 2023
Unable to force VersionTLS12 Traefik v2 (latest) docker	3	989	January 29, 2020
Tls.option are not applied in traefik.toml Traefik v2 (latest) docker	2	729	October 4, 2020