Restrict http url path using mtls

Traefik Traefik v2
,
1

I'm trying to restrict a http path so that only users authorised using mtls will be able to see the path.

At the bottom are the settings which is a combination of docker labels and dynamic configuration files.

A side note is when each of the routes are individually run the work as expected but getting them to work together is stumping me.

Thanks for any help.

When running the configuration below:

The browser without the certificate is causing the following error and not show either "localhost" or "localhost/restricted" and raises the following error.
'time="2021-05-18T08:46:23Z" level=debug msg="http: TLS handshake error from 127.0.0.1:49660: remote error: tls: bad certificate"

The browers with the certificate is working as expected

The dashboard the following error for the "localhost" route is shown Host(localhost): unknown TLS options: website@file

If I remove the traefik.http.routers.website.tls.options=website@file line get the following:

The browser without the certificate can access "localhost" and "localhost/restricted"

The brower with the certificate can access "localhost" and "localhost/restricted"

The dashboard has error for both the routers:
found different TLS options for routers on the same host localhost, so using the default TLS options instead

docker labels

# Common configuration
traefik.enable=true
traefik.http.services.website.loadbalancer.server.port=80
# mTLS secured path
traefik.http.routers.secure-website.rule=(Host(`localhost`) && PathPrefix(`/restricted`))
traefik.http.routers.secure-website.tls=true
traefik.http.routers.secure-website.tls.options=secure-website@file
traefik.http.routers.secure-website.service=website
# Main paths
traefik.http.routers.website.rule=Host(`localhost`)
traefik.http.routers.website.tls=true
traefik.http.routers.website.tls.options=website@file
traefik.http.routers.website.service=website

website@file

tls:
  certificates:
    - certFile: /etc/traefik/storage/server.crt
      keyFile: /etc/traefik/storage/server.key

secure-website@file

tls:
  certificates:
    - certFile: /etc/traefik/storage/server.crt
      keyFile: /etc/traefik/storage/server.key
  options:
     secure-website:
      clientAuth:
        caFiles:
          - /etc/traefik/storage/ca.crt
        clientAuthType: RequireAndVerifyClientCert
2

Hi @keepitsimplejim

Can you clarify where your tlsoptions are defined? One file, multiple?

TLS Options website@file does not seem to have a definition. In fact you should not include the option label on that router as the default tls options will apply.

3

So there looks like a gap in my understanding then and for reference below is are all the rest of my traefik configuration files.
Given that do you know of any links to help me implement the following features.

Just to make sure I've been able to explain my problem. There should be normal access to (a) and it's sub-paths except for (b) that is mtls access only to and it's sub-paths
a) https://localhost/
b) https://localhost/restricted/

Thanks again.

traefik.yml

api:
  dashboard: True
  insecure: True

accessLog:
  filePath: '/var/log/traefik/access.log'

log:
  level: 'DEBUG'
  filePath: '/var/log/traefik/system.log'

# ## External Ports
entryPoints:
  # HTTP
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  # HTTPS
  websecure:
    address: :443

# ## Automatic system providers
providers:
  # Docker integration
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    watch: true
    #network: 'dmz'
    exposedByDefault: false
  # Dynamic configuration
  file:
    watch: true
    directory: '/etc/traefik/dynamic'

traefik_dashboard.yml

http:
  routers:
    dashboard:
      entrypoints: websecure
      rule: Host(`capcom.localhost`)
      service: api@internal
      middlewares:
        - auth
      tls: {}
  middlewares:
    auth:
      basicAuth:
        users:
          - "admin:$apr1$FCki/hpQ$7B6pYp58iAfX6HHPcQY1e1"
4

Hello @keepitsimplejim

The issue is that two different TLS options match the same you will have a message similar to the following in your traefik logs:

traefik_1 | {"entryPointName":"websecure","level":"warning","msg":"Found different TLS options for routers on the same host localhost, so using the default TLS options instead for these routers: string{"w@docker", "w2@docker"}","time":"2021-05-22T21:21:10Z"}

If you make one of those routers a different hostname you should see success.