TLS Setup for production use

Hi everyone,
i am currently evaluating if i can use traefik hub for a production scenario and have some questions regarding the TLS setup. I found these chapters on the topic in the respective Documentation

Traefik Proxy Docs
Traefik Hub Docs

Following the Traefik Hub Docs, to secure the Hub Agent i need a CA and public/private certificates in place. Does this mean i need to create and provide those? I mean it seems like it, but in the context of all the things traefik/hub takes care of, i am not quite sure, since i did not read it explicitly.

In the traefik proxy Docs on the other hand are default certificates listed, but when using them, the browser does not trust them - which is expected of course - but i do get 404 when continuing. For reference, i tried this with portainer. What am i doing wrong here?

Also, do i understand correctly that the - --hub.tls.insecure=true flag on both the hub agent and traefik mean that TLS is not used for the connection?
Any help is much appreciated!
Best Dominik

Hello Dominik,

Thank you for your interest in Traefik Hub.

Following the Traefik Hub Docs, to secure the Hub Agent i need a CA and public/private certificates in place. Does this mean i need to create and provide those?

Indeed, if you are not using Traefik Hub in a Kubernetes cluster, you have to provide your own certificates. You can use self-signed certificates. The certificate provided to Traefik Proxy ought to be valid for the domain traefik.proxy, and the one provided to the Traefik Hub Agent ought to be valid for the domain traefik.agent.

In the traefik proxy Docs on the other hand are default certificates listed, but when using them, the browser does not trust them - which is expected of course

We’ve provided these certificates as an example of the configuration you can set. We recommend using your own certificates instead.

but i do get 404 when continuing.

Could you provide more information about your issue, please? When the 404 happen? In any case, it could be relevant to share both your configuration and logs (from Traefik Proxy and the Hub Agent).

Also, do i understand correctly that the - --hub.tls.insecure=true flag on both the hub agent and traefik means that TLS is not used for the connection?

This option allows you to set up a full Traefik Hub stack on your cluster without providing the certificates: Traefik Proxy and the Traefik Hub Agent are using a simple TLS connection with self-signed certificates to communicate instead of the mTLS connection used when you set the certificates. It’s very useful for test purposes but you ought not to use it in Production.

Regards,

Nicolas