Let's assume I want TLS from client to traefik and then mTLS from traefik to all services.
For the TLS connection from the client to traefik I would use the entrypoint TLS config. But then it also needs to be defined in the routers section as well? If a router is configured to use an entrypoint that has TLS defined does it need to be ddefined in the router section as well. If seperate routers have to be defined for http and then https endpoints then why is TLS defined in both the entrypoint and the router section. Do I just choose if I want TLS configured on entrypoint or router?
Then let's say I want a mTLS connection between traefik and all my services, I assume that I would add a Root CA certificate to the static server transport config and then traefik will generate it's own certificate and then I provide all my services with their own certificates right?
Am I understanding this correctly? I've spent way too much time trying to figure this out and i've given up and need help here, it's not very clear form the documentation.
Thanks for your response however I still have a few more questions.
Lets say for Backend I define server transport in static config. Does that make it the default setting for all services? If so how would I exclude specific service from requiring mTLS? Or is it just defined there but then still needs to be explicitly called out /defined for every service?
Now for frontend, assuming I have multiple domains but they are provided certificates in different ways ( one uses a letsencrypt http challenge, another letsencrypt DNS challenge and yet other use a certificate and key I provide) does that mean I can only set TLS settings on routes? Or can I break the entrypoint into someting like this and then not worry about setting tls in routes:
If you define serverTransport in static config, it should be used for all internal requests to services. If you only want to use it on dedicated services, you need to define it in dynamic config and assign it to the services.
You can mix and match custom TLS with LetsEncrypt. As far as I know you can just enable TLS and LE and it will use existing certs and fallback to LE to create certs.
You can create multiple LE resolvers and assign them to individual routers, just check the correct format, your example seems wrong.