Terminating TLS and Re-encrypt

Albert · June 10, 2023, 1:55am

Hi,

Is it possible to have traefik to re-encrypt the tls after termination at traefik? I have a working mqtts where the TLS is terminated at traefik but the traffic to the server is not.

bluepuma77 · June 10, 2023, 9:01am

Yes, you can let Traefik terminate TLS and let it forward with TLS with the same or a different cert.

Albert · June 11, 2023, 12:23am

Thanks. How about TCP traffic like mqtt where the port is 8883? An example config would be highly appreciated. Thank you.

Exnadella · June 15, 2023, 12:31pm

How do we configure this when using Traefik Hub api gateways or portals. Is it mandatory to have an ingress to handover the TLS or take a new TLS for ingress?

bluepuma77 · June 16, 2023, 7:14am

You probably need to open another post in the corresponding forum here for hub/portal.

Albert · June 16, 2023, 8:03am

Is it then possible to re-encrypt TCP traffic (non http)?

bluepuma77 · June 16, 2023, 8:18am

Yes, you can use loadbalancer.servers.url=https://... in a dynamic config file.

If the target has a public TLS cert it simply works, otherwise you need to use insecureskipverify (global or on the Traefik service) or import the custom cert chain.

Albert · June 16, 2023, 8:29am

That works if the endpoint is an https. What I am trying to do achieve is have traefik receive a MQTTS (tls enabled mqtt) and then re-encypt with another TLS cert before sending to the target.

The first part of decrypting TLS from the mqtts is done nicely by traefik but I have not clue what to do to enable re-encryption.

bluepuma77 · June 16, 2023, 2:08pm

The Traefik TCP service documentation seems to completely miss a TLS part towards the target service.

If you just want to use Traefik to forward the TLS traffic and the MQTT client can live with a proprietary TLS cert from the MQTT server, then you can just do a plain TCP forward, where Traefik does not need or touch any TLS certs (untested):

# traefik.yml
entryPoints:
  tcp:
    address: ":5678"
providers:
  file:
    filename: traefik-dynamic.yml

# traefik-dynamic.yml
tcp:
  routers:
    tcp-router:
      rule: "HostSNI(`*`)"
      entryPoints:
        - tcp
      service: tcp-service

  services:
    tcp-service:
      loadBalancer:
        servers:
          - address: "1.2.3.4:5678"

tspearconquest · January 30, 2024, 11:47pm

I found what's missing. For terminating TLS and re-encrypt, if you have a public signed cert in your backend service, you have to define a servers transport in Traefik config (map field type in YAML config) which sets a FQDN for the backend service that Traefik will define in the Host header on the requests. This definition can be in any of static config, dynamic config, or Kubernetes CRD.

Then you have to update your ingress route service (type: object) field to add a new serversTransport field (type: string) which points to the named servers transport you defined above, as the one to use for this service.

This will allow Traefik to send the host header to the pod with a FQDN that matches one of the subject alternative names on the certificate, and allow Traefik to re-encrypt communications with the back end service.

Topic		Replies	Views
Re-TLS connection after termination Traefik v3 (latest) kubernetes-ingress	0	129	February 16, 2024
Traefik, TLS passtrough Traefik v2 ecs , tcp	0	2125	April 16, 2021
Can traefik terminate an SSL connection and create a new SSL connection to the backend service Traefik v2 file	14	14463	December 6, 2020
Re-encrypt example Traefik v2 kubernetes-ingress	0	373	January 20, 2023
Problem setting up an MQTT broker + TLS + LETSENCRYPT certificate Traefik v2 docker , tcp	1	1560	September 13, 2022

Terminating TLS and Re-encrypt

Related topics