mirror of
				https://github.com/traefik/traefik.git
				synced 2025-10-25 14:31:12 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			146 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			146 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # HTTPS & TLS
 | |
| 
 | |
| Traefik supports HTTPS & TLS, and is able to accept new certificates / updates over time (without being restarted).
 | |
| TLS is enabled at the [router](../routing/routers/index.md) level, but some options are configured in dedicated sections (`tlsOptions` & `tlsStores`) described in this section.
 | |
| 
 | |
| ## Configuration Example
 | |
| 
 | |
| ??? example "Configuring a Default Certificate"
 | |
| 
 | |
|     ```toml
 | |
|     [tlsStores]
 | |
|      [tlsStores.default]
 | |
|        [tlsStores.default.defaultCertificate]
 | |
|          certFile = "path/to/cert.crt"
 | |
|          keyFile  = "path/to/cert.key"
 | |
|     ```
 | |
| 
 | |
| ??? example "Configuring a Minimum TLS Version"
 | |
| 
 | |
|     ```toml
 | |
|     [tlsOptions]
 | |
|         [tlsOptions.default]
 | |
|         minVersion = "VersionTLS12"
 | |
|     ```
 | |
| 
 | |
| ??? example "Defining Certificates"
 | |
| 
 | |
|     ```toml
 | |
|     [[tls]]
 | |
|       [tls.certificate]
 | |
|          certFile = "/path/to/domain.cert"
 | |
|          keyFile = "/path/to/domain.key"
 | |
| 
 | |
|     [[tls]]
 | |
|       [tls.certificate]
 | |
|          certFile = "/path/to/other-domain.cert"
 | |
|          keyFile = "/path/to/other-domain.key"
 | |
|     ```
 | |
| 
 | |
| !!! important "File Provider Only"
 | |
|     
 | |
|     In the above example, we've used the [file provider](../providers/file.md) to handle the TLS configuration (tlsStores, tlsOptions, and TLS certificates).
 | |
|     In its current alpha version, it is the only available method to configure these elements.
 | |
|     Of course, these options are hot reloaded and can be updated at runtime (they belong to the [dynamic configuration](../getting-started/configuration-overview.md)).
 | |
| 
 | |
| ## Configuration Options
 | |
| 
 | |
| ### Dynamic Certificates
 | |
| 
 | |
| To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
 | |
| 
 | |
| !!! example "Defining Certificates"
 | |
| 
 | |
|     ```toml
 | |
|     [[tls]]
 | |
|       stores = ["default"]
 | |
|       [tls.certificate]
 | |
|          certFile = "/path/to/domain.cert"
 | |
|          keyFile = "/path/to/domain.key"
 | |
| 
 | |
|     [[tls]]
 | |
|       stores = ["default"]
 | |
|       [tls.certificate]
 | |
|          certFile = "/path/to/other-domain.cert"
 | |
|          keyFile = "/path/to/other-domain.key"
 | |
|     ```
 | |
| 
 | |
|     ??? note "Stores"
 | |
| 
 | |
|         During the alpha version, the stores option will be ignored and be automatically set to ["default"].
 | |
| 
 | |
| ### Mutual Authentication
 | |
| 
 | |
| Traefik supports both optional and non optional (defaut value) mutual authentication.
 | |
| 
 | |
| - When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
 | |
| - When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA.
 | |
| 
 | |
| !!! example "Non Optional Mutual Authentication"
 | |
| 
 | |
|     In the following example, both `snitest.com` and `snitest.org` will require client certificates.
 | |
| 
 | |
|     ```toml
 | |
|     [tlsOptions]
 | |
|        [tlsOptions.default]
 | |
|           [tlsOptions.default.ClientCA]
 | |
|             files = ["tests/clientca1.crt", "tests/clientca2.crt"]
 | |
|             optional = false
 | |
|     ```
 | |
| 
 | |
|     ??? note "ClientCA.files"
 | |
| 
 | |
|         You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
 | |
| 
 | |
|         `ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
 | |
| 
 | |
| ### Minimum TLS Version
 | |
| 
 | |
| !!! example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
 | |
| 
 | |
|     ```toml
 | |
|     [tlsOptions]
 | |
|       [tlsOptions.default]
 | |
|           minVersion = "VersionTLS12"
 | |
|           cipherSuites = [
 | |
|             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 | |
|             "TLS_RSA_WITH_AES_256_GCM_SHA384"
 | |
|           ]
 | |
|     ```
 | |
| 
 | |
| ### Strict SNI Checking
 | |
| 
 | |
| With strict SNI checking, Traefik won't allow connections without a matching certificate.
 | |
| 
 | |
| !!! example "Strict SNI"
 | |
| 
 | |
|     ```toml
 | |
|     [tlsOptions]
 | |
|       [tlsOptions.default]
 | |
|         sniStrict = true
 | |
|     ```
 | |
| 
 | |
| ### Default Certificate
 | |
| 
 | |
| Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 | |
| 
 | |
| If no default certificate is provided, Traefik generates and uses a self-signed certificate.
 | |
| 
 | |
| !!! example "Setting a Default Certificate"
 | |
| 
 | |
|     ```toml
 | |
|     [tlsStores]
 | |
|      [tlsStores.default]
 | |
|        [tlsStores.default.defaultCertificate]
 | |
|          certFile = "path/to/cert.crt"
 | |
|          keyFile  = "path/to/cert.key"
 | |
|     ```
 | |
| 
 | |
|     ??? note "Only One Default Certificate"
 | |
| 
 | |
|         There can only be one `defaultCertificate` per tlsOptions.
 | |
| 
 | |
|     ??? note "Default TLS Store"
 | |
| 
 | |
|         During the alpha version, there is only one globally available TLS Store (`default`).
 |