Why does Traefik allow unencrypted HTTP over port 443?

Traefik Traefik v2
1

Hello all, I'm new to Traefik. I am having problems getting routing to work, but in my testing I noticed that traefik is allowing HTTP traffic over its "websecure" port, 443. This seems like a major vulnerability, so I assume I must have messed something up.

docker-compose.yml

  lb-public:
    image: traefik:latest
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      # Disable the following for "production"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      # For testing you can use acme-staging as it doesn't rate limit you
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=myemail@hotmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
      - "0.0.0.0:8080:8080"
    volumes:
      - "./docker/traefik/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      backend:
      metadata:

  whoami:
    image: "traefik/whoami"
    networks:
      backend:
    labels:
      # Traefix v2
      - "traefik.enable=true"
      - "traefik.http.routers.whoami-http.entrypoints=web"
      - "traefik.http.routers.whoami-http.rule=Host(`${PUBLIC_DOMAIN}`) && PathPrefix(`/whoami`)"

If you docker compose these services up, you can then cURL to port 443 and get HTTP (clear text) output. I would expect traefik to force the client to negotiate TLS -- is this correct port 443 behavior?

clutzer@laptop % curl http://public-domain.com:443/
404 page not found

I used Wireshark to verify that HTTP is being sent unencrypted over port 443.

2

You didn’t assign the certresolver to the websecure entrypoint, so no TLS is used.

And your target service is using web entrypoint, not websecure.

See simple Traefik example.

3

I think your latter point emphasizes my point: my service is not available on the websecure port, so why can I access my server ON the websecure port, and in an unencrypted fashion. That's incredibly broken.

4

You define a http entrypoint on port 443 and do not assign TLS - what do you expect?

For Traefik all ports are created equal :slight_smile:

Traefik will create a http interface and will respond with status 404 if no router is matching.

1 Like
5

Ok thanks for the explanation.

What I expect is for traefik to treat the "websecure" port as a port that must have security and enforce a TLS handshake.

6

Assign TLS to the entrypoint websecure, then it always requires TLS. See simple Traefik example.

7

Hello,

"websecure" is just an arbitrary name for the entrypoint, you can use anything as a name.

We use "websecure" as a name inside the documentation to enforce the meaning of the entrypoint but there is nothing attached to this name.

8

Thanks Idez - I think that's the key piece of information to understand. "web" and "websecure" have absolutely no semantic or functional meaning within traefik. They are simply TCP endpoints for which you (the developer) have to enable TLS on, completely.

1 Like
9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.