2019-06-19 17:00:06 +00:00
# TLS
Transport Layer Security
{: .subtitle }
## Certificates Definition
### Automated
See the [Let's Encrypt ](./acme.md ) page.
### User defined
2019-06-27 21:58:03 +00:00
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration ](../getting-started/configuration-overview.md ), in the `[[tls.certificates]]` section:
2019-06-19 17:00:06 +00:00
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
2019-06-19 17:00:06 +00:00
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
2019-06-19 17:00:06 +00:00
!!! important "File Provider Only"
In the above example, we've used the [file provider ](../providers/file.md ) to handle these definitions.
2019-07-22 07:58:04 +00:00
In its current beta version, it is the only available method to configure the certificates (as well as the options and the stores).
2019-06-19 17:00:06 +00:00
## Certificates Stores
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.stores]
[tls.stores.default]
2019-06-19 17:00:06 +00:00
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
stores:
default: {}
```
2019-07-22 07:58:04 +00:00
!!! important "Beta restriction"
2019-06-19 17:00:06 +00:00
2019-07-22 07:58:04 +00:00
During the beta version, any store definition other than the default one (named `default` ) will be ignored,
2019-06-19 17:00:06 +00:00
and there is thefore only one globally available TLS store.
2019-07-01 09:30:05 +00:00
In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
2019-06-19 17:00:06 +00:00
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
2019-07-01 09:30:05 +00:00
stores = ["default"]
2019-06-19 17:00:06 +00:00
2019-06-27 21:58:03 +00:00
[[tls.certificates]]
2019-06-19 17:00:06 +00:00
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
2019-06-27 21:58:03 +00:00
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
2019-06-19 17:00:06 +00:00
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
stores:
- default
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
2019-07-22 07:58:04 +00:00
!!! important "Beta restriction"
2019-06-19 17:00:06 +00:00
2019-07-22 07:58:04 +00:00
During the beta version, the `stores` list will actually be ignored and automatically set to `["default"]` .
2019-06-19 17:00:06 +00:00
### Default Certificate
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
This default certificate should be defined in a TLS store:
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
2019-06-19 17:00:06 +00:00
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
```
2019-06-19 17:00:06 +00:00
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
## TLS Options
The TLS options allow one to configure some parameters of the TLS connection.
### Minimum TLS Version
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.options]
2019-06-19 17:00:06 +00:00
2019-06-27 21:58:03 +00:00
[tls.options.default]
2019-06-19 17:00:06 +00:00
minVersion = "VersionTLS12"
2019-06-27 21:58:03 +00:00
[tls.options.mintls13]
2019-06-19 17:00:06 +00:00
minVersion = "VersionTLS13"
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
```
2019-07-12 15:50:04 +00:00
### Client Authentication (mTLS)
2019-06-19 17:00:06 +00:00
2019-07-12 15:50:04 +00:00
Traefik supports mutual authentication, through the `ClientAuth` section.
2019-06-19 17:00:06 +00:00
2019-07-12 15:50:04 +00:00
For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `ClientAuth.caFiles` .
The `ClientAuth.clientAuthType` option governs the behaviour as follows:
2019-06-19 17:00:06 +00:00
2019-07-12 15:50:04 +00:00
- `NoClientCert` : disregards any client certificate.
- `RequestClientCert` : asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert` : requires a certificate but does not verify if it is signed by a CA listed in `ClientAuth.caFiles` .
- `VerifyClientCertIfGiven` : if a certificate is provided, verifies if it is signed by a CA listed in `ClientAuth.caFiles` . Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert` : requires a certificate, which must be signed by a CA listed in `ClientAuth.caFiles` .
2019-06-19 17:00:06 +00:00
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.options]
[tls.options.default]
2019-07-12 15:50:04 +00:00
[tls.options.default.clientAuth]
2019-06-19 17:00:06 +00:00
# in PEM format. each file can contain multiple CAs.
2019-07-12 15:50:04 +00:00
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
2019-06-19 17:00:06 +00:00
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
options:
default:
2019-07-12 15:50:04 +00:00
clientAuth:
2019-07-01 09:30:05 +00:00
# in PEM format. each file can contain multiple CAs.
2019-07-12 15:50:04 +00:00
caFiles:
2019-07-01 09:30:05 +00:00
- tests/clientca1.crt
- tests/clientca2.crt
2019-07-12 15:50:04 +00:00
clientAuthType: RequireAndVerifyClientCert
2019-07-01 09:30:05 +00:00
```
2019-06-19 17:00:06 +00:00
### Cipher Suites
See [cipherSuites ](https://godoc.org/crypto/tls#pkg-constants ) for more information.
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.options]
[tls.options.default]
2019-06-19 17:00:06 +00:00
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
```
2019-06-19 17:00:06 +00:00
### Strict SNI Checking
With strict SNI checking, Traefik won't allow connections from clients connections
that do not specify a server_name extension.
2019-07-01 09:30:05 +00:00
```toml tab="TOML"
2019-06-27 21:58:03 +00:00
[tls.options]
[tls.options.default]
2019-06-19 17:00:06 +00:00
sniStrict = true
```
2019-07-01 09:30:05 +00:00
```yaml tab="YAML"
tls:
options:
default:
sniStrict: true
```