Hi,
i am looking for help about traefik configuration. I need to add configuration to traefik so only a specific kind of clients having a specific kind of client certificate can get access to a webapplication.
If a client doesn't have the client certificate, traefik needs to reject the request to get access to the webapp.
Any advice or resource on how to do this ?
Best regards;
Youssef
Hi,
Thank you for your reply. I used mTLS and did this configuration :
#####################################""
[tls.options.myWebAppOptions]
minVersion = "VersionTLS12"
[tls.options.myWebAppOptions.clientAuth]
caFiles = [ "/etc/myCA1.cert" ]
clientAuthType = "RequireAndVerifyClientCert"
#######################################"
but i have an error now : i am no longer able to get access to myWebApp and i have message : INVALID_CERT_Error (and it is talking about TRAEFIK DEFAULT CERT).
Can you help why it is talking about traefik default cert ? i want to get access to the webapp with my client certificate signed by myCA1 Certificate Authority.
Hello @newyou
This could be one of many things from a certificate/domain mismatch to a router configuration issue.
Did it work before that addition?
Are you able to post configuration?
Hi,
thank you for your reply. i don't think i can share config but i have a quick question :
after using mTLS in configuration, do we need to install client certificate on our laptop and that's all, or we need to add it as certificate in our browser like firefox ? because traefik is routing to webapp application.
Thanks in advance for your reply.
@newyou That is very dependent on the system and browser.
Some browsers will use the system certificatestore/keyring and some will use the browsers own store.
But this certificate error:
Is because traefik is serving it's self generated TLS certificate and this is untrusted by the client.
So what i need to do ?
i used clientAuth and referenced the options name is docker label. What i need to do in addition to that ?
Configure traefik to serve a certificate trusted by your clients.
See the TLS Overview and related links. Use either your own existing certificates or via LetsEncrypt
Hi @Cakiwi
Thank you for reply. So i understand that my clientAuth configuration is breaking another configuration. Because we are already using trafefik to serve our own certificate as trusted certificate to our clients. The requirment now is not to give access to any client that have url to our application, we want to limit access to clients that have the URL + they have a client certificate installed on their laptop.
Perhaps. Back out the mTLS and try it again, there is always the change something else changed.