homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Expand Client Auth Type configuration

Browse source
This commit is contained in:
Jean-Baptiste Doumenjou 2019-07-12 17:50:04 +02:00 committed by Traefiker Bot
parent 7a4b4c941c
commit 2c7cfd1c68
31 changed files with 304 additions and 151 deletions
Download patch file Download diff file Expand all files Collapse all files

28
docs/content/https/tls.md
View file

@ -139,35 +139,39 @@ tls:
minVersion: VersionTLS13
```
### Mutual Authentication
### Client Authentication (mTLS)
Traefik supports both optional and strict (which is the default) mutual authentication, though the `ClientCA.files` section.
If present, connections from clients without a certificate will be rejected.
Traefik supports mutual authentication, through the `ClientAuth` section.
For clients with a certificate, the `optional` option governs the behaviour as follows:
For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `ClientAuth.caFiles`.
The `ClientAuth.clientAuthType` option governs the behaviour as follows:
- When `optional = false`, Traefik accepts connections only from clients presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
- `NoClientCert`: disregards any client certificate.
- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `ClientAuth.caFiles`.
- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `ClientAuth.caFiles`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `ClientAuth.caFiles`.
```toml tab="TOML"
[tls.options]
[tls.options.default]
[tls.options.default.clientCA]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
```
```yaml tab="YAML"
tls:
options:
default:
clientCA:
clientAuth:
# in PEM format. each file can contain multiple CAs.
files:
caFiles:
- tests/clientca1.crt
- tests/clientca2.crt
optional: false
clientAuthType: RequireAndVerifyClientCert
```
### Cipher Suites

2
docs/content/providers/kubernetes-crd.md
View file

@ -296,7 +296,7 @@ metadata:
namespace: default
spec:
minversion: VersionTLS12
minVersion: VersionTLS12
---
apiVersion: traefik.containo.us/v1alpha1

12
docs/content/reference/dynamic-configuration/file.toml
View file

@ -275,16 +275,16 @@
minVersion = "foobar"
cipherSuites = ["foobar", "foobar"]
sniStrict = true
[tls.options.Options0.clientCA]
files = ["foobar", "foobar"]
optional = true
[tls.options.Options0.clientAuth]
caFiles = ["foobar", "foobar"]
clientAuthType = "VerifyClientCertIfGiven"
[tls.options.Options1]
minVersion = "foobar"
cipherSuites = ["foobar", "foobar"]
sniStrict = true
[tls.options.Options1.clientCA]
files = ["foobar", "foobar"]
optional = true
[tls.options.Options1.clientAuth]
caFiles = ["foobar", "foobar"]
clientAuthType = "VerifyClientCertIfGiven"
[tls.stores]
[tls.stores.Store0]
[tls.stores.Store0.defaultCertificate]

12
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -303,22 +303,22 @@ tls:
cipherSuites:
- foobar
- foobar
clientCA:
files:
clientAuth:
caFiles:
- foobar
- foobar
optional: true
clientAuthType: VerifyClientCertIfGiven
sniStrict: true
Options1:
minVersion: foobar
cipherSuites:
- foobar
- foobar
clientCA:
files:
clientAuth:
caFiles:
- foobar
- foobar
optional: true
clientAuthType: VerifyClientCertIfGiven
sniStrict: true
stores:
Store0: