Skip to content
Snippets Groups Projects
Commit d613643f authored by Alan Christopher Thomas's avatar Alan Christopher Thomas
Browse files

Remove traefik

parent 6bdf1c58
No related branches found
No related tags found
No related merge requests found
name: Traefik v2
protocol: https
topics:
server_auth:
links:
- text: User defined certificates
url: https://doc.traefik.io/traefik/https/tls/#user-defined
- text: Default certificate
url: https://doc.traefik.io/traefik/https/tls/#default-certificate
client_auth:
links:
- text: Client authentication (mTLS)
url: https://docs.traefik.io/https/tls/#client-authentication-mtls
- text: Router TLS options
url: https://doc.traefik.io/traefik/routing/routers/#options
renewal:
links:
- text: ACME certificate resolver
url: https://doc.traefik.io/traefik/https/acme/
- text: Router TLS certificate resolver
url: https://doc.traefik.io/traefik/routing/routers/#certresolver
docs/traefik/logo.png

18.9 KiB

Add or configure an existing TLS option to specify the location of your CA root certificate to use for authenticating client certificates.
```toml
## Dynamic configuration
[tls.options]
[tls.options.mytlsoptions]
[tls.options.mytlsoptions.clientAuth]
caFiles = ["{{ ca_cert }}"]
clientAuthType = "RequireAndVerifyClientCert"
```
Then, when you add routers to your dynamic configuration for HTTPS traffic, you need to set `tls` and `tls.options` to enable client authentication:
```toml
## Dynamic configuration
[http]
[http.routers]
[http.routers.router1]
...
[http.routers.router1.tls]
options = "mytlsoptions"
```
Traefik is a modern reverse-proxy with integrated support for ACME. It's easy to get a certificate from Let's Encrypt andy other ACME compatible CAs like `step-ca` in Traefik, using the `tls-alpn-01` ACME challenge type.
Most importantly, Traefik will need to trust your root CA certificate. Either use the `LEGO_CA_CERTIFICATES` environment variable to provide the full path to your `{{ ca_cert }}` when running Traefik, or install your root certificate in your system's trust store.
In your Traefik static configuration, you'll need to add a `certificatesResolvers` block:
```toml
[certificatesResolvers]
[certificatesResolvers.myresolver]
[certificatesResolvers.myresolver.acme]
caServer = "https://step-ca.internal/acme/acme/directory"
email = "anna@example.com"
storage = "acme.json"
tlsChallenge = true
```
Then, when you add routers to your dynamic configuration for HTTPS traffic, you need to set `tls` and `tls.certResolver`:
```toml
## Dynamic configuration
[http]
[http.routers]
[http.routers.router1]
...
[http.routers.router1.tls]
certResolver = "myresolver"
```
In the dynamic configuration of Traefik specify the locations of the server's certificate and private key. The certificates will be automatically used when the domain in SNI requests matches the certificate domains.
This configuration applies to manually configured certificates. For automatic certificate renewal, check the section below.
```toml
## Dynamic configuration
[[tls.certificates]]
certFile = "{{ server_cert }}"
keyFile = "{{ server_key }}"
```
Traefik automatically selects the right certificates when the domain in SNI requests matches the certificate domains. To have one of the certificates be the default certificate - instead of the generated Traefik default certificate - for requests which don't match any certificate configured, you need to configure the default `tls.stores`.
```toml
## Dynamic configuration
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "{{ server_cert }}"
keyFile = "{{ server_key }}"
```
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment