6.8 KiB
| title | description |
|---|---|
| Traefik TLS Options Documentation | Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation. |
The TLS options allow one to configure some parameters of the TLS connection.
!!! important "'default' TLS Option"
The `default` option is special.
When no tls options are specified in a tls router, the `default` option is used.
When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.
Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
you must specify the provider namespace, for example:
`traefik.http.routers.myrouter.tls.options=myoptions@file`
!!! important "Providers"
TLS options are not supported by label or tag-based providers. However, you can define them when using a [KV provider](../../other-providers/kv.md).
Minimum TLS Version
# Dynamic configuration
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
# Dynamic configuration
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
Maximum TLS Version
We discourage the use of this setting to disable TLS1.3.
The recommended approach is to update the clients to support TLS1.3.
# Dynamic configuration
tls:
options:
default:
maxVersion: VersionTLS13
maxtls12:
maxVersion: VersionTLS12
# Dynamic configuration
[tls.options]
[tls.options.default]
maxVersion = "VersionTLS13"
[tls.options.maxtls12]
maxVersion = "VersionTLS12"
Cipher Suites
See cipherSuites for more information.
# Dynamic configuration
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# Dynamic configuration
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
!!! important "TLS 1.3"
Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)
With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
<https://golang.org/doc/go1.12#tls_1_3>
Curve Preferences
This option allows to set the preferred elliptic curves in a specific order.
The names of the curves defined by crypto (e.g. CurveP521) and the RFC defined names (e. g. secp521r1) can be used.
See CurveID for more information.
# Dynamic configuration
tls:
options:
default:
curvePreferences:
- CurveP521
- CurveP384
# Dynamic configuration
[tls.options]
[tls.options.default]
curvePreferences = ["CurveP521", "CurveP384"]
Strict SNI Checking
With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension or don't match any of the configured certificates. The default certificate is irrelevant on that matter.
# Dynamic configuration
tls:
options:
default:
sniStrict: true
# Dynamic configuration
[tls.options]
[tls.options.default]
sniStrict = true
ALPN Protocols
Optional, Default="h2, http/1.1, acme-tls/1"
This option allows to specify the list of supported application level protocols for the TLS handshake, in order of preference. If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol.
# Dynamic configuration
tls:
options:
default:
alpnProtocols:
- http/1.1
- h2
# Dynamic configuration
[tls.options]
[tls.options.default]
alpnProtocols = ["http/1.1", "h2"]
Client Authentication (mTLS)
Traefik supports mutual authentication, through the clientAuth section.
For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in clientAuth.caFiles.
In Kubernetes environment, CA certificate can be set in clientAuth.secretNames. See TLSOption resource for more details.
The clientAuth.clientAuthType option governs the behaviour as follows:
| Option | Operation |
|---|---|
NoClientCert |
Disregards any client certificate. |
RequestClientCert |
Asks for a certificate but proceeds anyway if none is provided. |
RequireAnyClientCert |
Requires a certificate but does not verify if it is signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames. |
VerifyClientCertIfGiven |
If a certificate is provided, verifies if it is signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames. Otherwise proceeds without any certificate. |
RequireAndVerifyClientCert |
requires a certificate, which must be signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames. |
# Dynamic configuration
tls:
options:
default:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
- tests/clientca1.crt
- tests/clientca2.crt
clientAuthType: RequireAndVerifyClientCert
# Dynamic configuration
[tls.options]
[tls.options.default]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
Disable Session Tickets
Optional, Default="false"
When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
# Dynamic configuration
tls:
options:
default:
disableSessionTickets: true
# Dynamic configuration
[tls.options]
[tls.options.default]
disableSessionTickets = true
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
disableSessionTickets: true
{!traefik-for-business-applications.md!}