TLS

Transport Layer Security

Certificates Definition

Automated

See the Let's Encrypt page.

User defined

To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the dynamic configuration, in the [[tls.certificates]] section:

  1. [[tls.certificates]]
  2.   certFile = "/path/to/domain.cert"
  3.   keyFile = "/path/to/domain.key"
  5. [[tls.certificates]]
  6.   certFile = "/path/to/other-domain.cert"
  7.   keyFile = "/path/to/other-domain.key"
  1. tls:
  2.   certificates:
  3.   - certFile: /path/to/domain.cert
  4.     keyFile: /path/to/domain.key
  5.   - certFile: /path/to/other-domain.cert
  6.     keyFile: /path/to/other-domain.key

File Provider Only

In the above example, we've used the file provider to handle these definitions.It is the only available method to configure the certificates (as well as the options and the stores).

Certificates Stores

In Traefik, certificates are grouped together in certificates stores, which are defined as such:

  1. [tls.stores]
  2.   [tls.stores.default]
  1. tls:
  2.   stores:
  3.     default: {}

Restriction

Any store definition other than the default one (named default) will be ignored,and there is thefore only one globally available TLS store.

In the tls.certificates section, a list of stores can then be specified to indicate where the certificates should be stored:

  1. [[tls.certificates]]
  2.   certFile = "/path/to/domain.cert"
  3.   keyFile = "/path/to/domain.key"
  4.   stores = ["default"]
  6. [[tls.certificates]]
  7.   # Note that since no store is defined,
  8.   # the certificate below will be stored in the `default` store.
  9.   certFile = "/path/to/other-domain.cert"
  10.   keyFile = "/path/to/other-domain.key"
  1. tls:
  2.   certificates:
  3.   - certFile: /path/to/domain.cert
  4.     keyFile: /path/to/domain.key
  5.     stores:
  6.     - default
  7.   # Note that since no store is defined,
  8.   # the certificate below will be stored in the `default` store.
  9.   - certFile: /path/to/other-domain.cert
  10.     keyFile: /path/to/other-domain.key

Restriction

The stores list will actually be ignored and automatically set to ["default"].

Default Certificate

Traefik can use a default certificate for connections without a SNI, or without a matching domain.This default certificate should be defined in a TLS store:

  1. [tls.stores]
  2.   [tls.stores.default]
  3.     [tls.stores.default.defaultCertificate]
  4.       certFile = "path/to/cert.crt"
  5.       keyFile  = "path/to/cert.key"
  1. tls:
  2.   stores:
  3.     default:
  4.       defaultCertificate:
  5.         certFile: path/to/cert.crt
  6.         keyFile: path/to/cert.key

If no default certificate is provided, Traefik generates and uses a self-signed certificate.

TLS Options

The TLS options allow one to configure some parameters of the TLS connection.

Minimum TLS Version

  1. [tls.options]
  3.   [tls.options.default]
  4.     minVersion = "VersionTLS12"
  6.   [tls.options.mintls13]
  7.     minVersion = "VersionTLS13"
  1. tls:
  2.   options:
  3.     default:
  4.       minVersion: VersionTLS12
  6.     mintls13:
  7.       minVersion: VersionTLS13

Client Authentication (mTLS)

Traefik supports mutual authentication, through the clientAuth section.

For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in clientAuth.caFiles.

The clientAuth.clientAuthType option governs the behaviour as follows:

  • NoClientCert: disregards any client certificate.
  • RequestClientCert: asks for a certificate but proceeds anyway if none is provided.
  • RequireAnyClientCert: requires a certificate but does not verify if it is signed by a CA listed in clientAuth.caFiles.
  • VerifyClientCertIfGiven: if a certificate is provided, verifies if it is signed by a CA listed in clientAuth.caFiles. Otherwise proceeds without any certificate.
  • RequireAndVerifyClientCert: requires a certificate, which must be signed by a CA listed in clientAuth.caFiles. 
  1. [tls.options]
  2.   [tls.options.default]
  3.     [tls.options.default.clientAuth]
  4.       # in PEM format. each file can contain multiple CAs.
  5.       caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
  6.       clientAuthType = "RequireAndVerifyClientCert"
  1. tls:
  2.   options:
  3.     default:
  4.       clientAuth:
  5.         # in PEM format. each file can contain multiple CAs.
  6.         caFiles:
  7.         - tests/clientca1.crt
  8.         - tests/clientca2.crt
  9.         clientAuthType: RequireAndVerifyClientCert

Cipher Suites

See cipherSuites for more information.

  1. [tls.options]
  2.   [tls.options.default]
  3.     cipherSuites = [
  4.       "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  5.       "TLS_RSA_WITH_AES_256_GCM_SHA384"
  6.     ]
  1. tls:
  2.   options:
  3.     default:
  4.       cipherSuites:
  5.       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  6.       - TLS_RSA_WITH_AES_256_GCM_SHA384

Strict SNI Checking

With strict SNI checking, Traefik won't allow connections from clients connectionsthat do not specify a server_name extension.

  1. [tls.options]
  2.   [tls.options.default]
  3.     sniStrict = true
  1. tls:
  2.   options:
  3.     default:
  4.       sniStrict: true