2019-06-19 19:00:06 +02:00
# TLS
Transport Layer Security
{: .subtitle }
## Certificates Definition
### Automated
See the [Let's Encrypt ](./acme.md ) page.
### User defined
2019-06-27 23:58:03 +02:00
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration ](../getting-started/configuration-overview.md ), in the `[[tls.certificates]]` section:
2019-06-19 19:00:06 +02:00
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
2019-06-19 19:00:06 +02:00
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
certificates:
2019-09-23 17:00:06 +02:00
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
2019-07-01 11:30:05 +02:00
```
2019-09-23 11:22:05 +02:00
!!! important "Restriction"
2019-06-19 19:00:06 +02:00
In the above example, we've used the [file provider ](../providers/file.md ) to handle these definitions.
2019-09-02 12:26:04 +02:00
It is the only available method to configure the certificates (as well as the options and the stores).
2020-01-07 11:26:05 +01:00
However, in [Kubernetes ](../providers/kubernetes-crd.md ), the certificates can and must be provided by [secrets ](https://kubernetes.io/docs/concepts/configuration/secret/ ).
2019-06-19 19:00:06 +02:00
## Certificates Stores
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[tls.stores]
[tls.stores.default]
2019-06-19 19:00:06 +02:00
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
stores:
default: {}
```
2019-09-02 12:26:04 +02:00
!!! important "Restriction"
2019-06-19 19:00:06 +02:00
2019-09-02 12:26:04 +02:00
Any store definition other than the default one (named `default` ) will be ignored,
2020-11-11 00:28:04 +08:00
and there is therefore only one globally available TLS store.
2019-06-19 19:00:06 +02:00
2019-07-01 11:30:05 +02:00
In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
2019-06-19 19:00:06 +02:00
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
2019-07-01 11:30:05 +02:00
stores = ["default"]
2019-06-19 19:00:06 +02:00
2019-06-27 23:58:03 +02:00
[[tls.certificates]]
2019-06-19 19:00:06 +02:00
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
2019-06-27 23:58:03 +02:00
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
2019-06-19 19:00:06 +02:00
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
certificates:
2019-09-23 17:00:06 +02:00
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
stores:
- default
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
2019-07-01 11:30:05 +02:00
```
2019-09-02 12:26:04 +02:00
!!! important "Restriction"
2019-06-19 19:00:06 +02:00
2019-09-02 12:26:04 +02:00
The `stores` list will actually be ignored and automatically set to `["default"]` .
2019-06-19 19:00:06 +02:00
### Default Certificate
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
This default certificate should be defined in a TLS store:
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
2019-06-19 19:00:06 +02:00
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
```
2019-06-19 19:00:06 +02:00
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
## TLS Options
The TLS options allow one to configure some parameters of the TLS connection.
2020-10-16 01:12:04 +13:00
!!! important "'default' TLS Option"
The `default` option is special.
When no tls options are specified in a tls router, the `default` option is used.
When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.
Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
you must specify the provider namespace, for example:
`traefik.http.routers.myrouter.tls.options=myoptions@file`
2020-09-15 09:46:04 +02:00
!!! important "TLSOptions in Kubernetes"
When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
2020-10-16 01:12:04 +13:00
if not explicitly overwritten, should apply to all ingresses.
To achieve that, you'll have to create a TLSOptions CR with the name `default` .
There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.
To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
you'll have to add an annotation to the Ingress in the following form:
2020-09-15 09:46:04 +02:00
`traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
2019-06-19 19:00:06 +02:00
### Minimum TLS Version
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[tls.options]
2019-06-19 19:00:06 +02:00
2019-06-27 23:58:03 +02:00
[tls.options.default]
2019-06-19 19:00:06 +02:00
minVersion = "VersionTLS12"
2019-06-27 23:58:03 +02:00
[tls.options.mintls13]
2019-06-19 19:00:06 +02:00
minVersion = "VersionTLS13"
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
```
2019-09-23 11:22:05 +02:00
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
minVersion: VersionTLS12
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mintls13
namespace: default
spec:
minVersion: VersionTLS13
2019-07-01 11:30:05 +02:00
```
2019-10-29 07:58:05 -04:00
### Maximum TLS Version
2020-08-25 20:40:04 +05:30
We discourage the use of this setting to disable TLS1.3.
2019-10-29 07:58:05 -04:00
2020-08-25 20:40:04 +05:30
The recommended approach is to update the clients to support TLS1.3.
2019-10-29 07:58:05 -04:00
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
maxVersion = "VersionTLS13"
[tls.options.maxtls12]
maxVersion = "VersionTLS12"
```
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
maxVersion: VersionTLS13
maxtls12:
maxVersion: VersionTLS12
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
maxVersion: VersionTLS13
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: maxtls12
namespace: default
spec:
maxVersion: VersionTLS12
```
2019-06-19 19:00:06 +02:00
### Cipher Suites
See [cipherSuites ](https://godoc.org/crypto/tls#pkg-constants ) for more information.
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[tls.options]
[tls.options.default]
2019-06-19 19:00:06 +02:00
cipherSuites = [
2019-10-07 15:02:06 +02:00
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
2019-06-19 19:00:06 +02:00
]
```
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
options:
default:
cipherSuites:
2019-09-23 17:00:06 +02:00
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2019-07-01 11:30:05 +02:00
```
2019-09-23 11:22:05 +02:00
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
2019-09-23 17:00:06 +02:00
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2019-09-23 11:22:05 +02:00
```
!!! important "TLS 1.3"
Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (< https: / / tools . ietf . org / html / rfc8446 > )
With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
< https: // golang . org / doc / go1 . 12 #tls_1_3 >
2019-11-03 15:54:04 +01:00
### Curve Preferences
This option allows to set the preferred elliptic curves in a specific order.
The names of the curves defined by [`crypto` ](https://godoc.org/crypto/tls#CurveID ) (e.g. `CurveP521` ) and the [RFC defined names ](https://tools.ietf.org/html/rfc8446#section-4.2.7 ) (e. g. `secp521r1` ) can be used.
See [CurveID ](https://godoc.org/crypto/tls#CurveID ) for more information.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
curvePreferences = ["CurveP521", "CurveP384"]
```
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
curvePreferences:
- CurveP521
- CurveP384
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
curvePreferences:
- CurveP521
- CurveP384
```
2019-06-19 19:00:06 +02:00
### Strict SNI Checking
2020-08-25 20:40:04 +05:30
With strict SNI checking enabled, Traefik won't allow connections from clients
2020-07-08 12:18:03 +02:00
that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
2019-06-19 19:00:06 +02:00
2019-09-23 11:22:05 +02:00
```toml tab="File (TOML)"
# Dynamic configuration
2019-06-27 23:58:03 +02:00
[tls.options]
[tls.options.default]
2019-06-19 19:00:06 +02:00
sniStrict = true
```
2019-07-01 11:30:05 +02:00
2019-09-23 11:22:05 +02:00
```yaml tab="File (YAML)"
# Dynamic configuration
2019-07-01 11:30:05 +02:00
tls:
options:
default:
sniStrict: true
```
2019-09-23 11:22:05 +02:00
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
sniStrict: true
```
2020-02-12 11:06:04 -06:00
### Prefer Server Cipher Suites
This option allows the server to choose its most preferred cipher suite instead of the client's.
Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
preferServerCipherSuites = true
```
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
preferServerCipherSuites: true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
preferServerCipherSuites: true
```
2019-09-23 11:22:05 +02:00
### Client Authentication (mTLS)
Traefik supports mutual authentication, through the `clientAuth` section.
For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles` .
The `clientAuth.clientAuthType` option governs the behaviour as follows:
- `NoClientCert` : disregards any client certificate.
- `RequestClientCert` : asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert` : requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` .
- `VerifyClientCertIfGiven` : if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` . Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert` : requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` .
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
```
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
2019-09-23 17:00:06 +02:00
- tests/clientca1.crt
- tests/clientca2.crt
2019-09-23 11:22:05 +02:00
clientAuthType: RequireAndVerifyClientCert
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
clientAuth:
2020-07-28 17:18:03 +02:00
# the CA certificate is extracted from key `tls.ca` of the given secrets.
2019-09-23 11:22:05 +02:00
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert
```