Update the middleware documentation
This commit is contained in:
Jean-Baptiste Doumenjou
Traefiker Bot
parent
6ab991ebf4
commit
2e20394af4
24 changed files with 488 additions and 70 deletions
|
|
@ -1,4 +1,4 @@
|
|||
# TODO - PassTLSClientCert
|
||||
# PassTLSClientCert
|
||||
|
||||
Adding Client Certificates in a Header
|
||||
{: .subtitle }
|
||||
|
|
@ -27,6 +27,12 @@ spec:
|
|||
pem: true
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
|
||||
```
|
||||
|
||||
```toml tab="File"
|
||||
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
|
||||
[http.middlewares]
|
||||
|
|
@ -88,6 +94,28 @@ spec:
|
|||
domainComponent: true
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
|
||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
|
||||
```
|
||||
|
||||
```toml tab="File"
|
||||
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
|
||||
[http.middlewares]
|
||||
|
|
@ -120,8 +148,8 @@ spec:
|
|||
|
||||
PassTLSClientCert can add two headers to the request:
|
||||
|
||||
* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
|
||||
* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
|
||||
- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
|
||||
- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
|
||||
|
||||
!!! note
|
||||
The headers are filled with escaped string so it can be safely placed inside a URL query.
|
||||
|
|
@ -235,6 +263,7 @@ In the following example, you can see a complete certificate. We will use each p
|
|||
### `pem`
|
||||
|
||||
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
|
||||
|
||||
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
|
||||
|
||||
??? example "The data used by the pem option"
|
||||
|
|
@ -283,10 +312,16 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
|
|||
The delimiters and `\n` will be removed.
|
||||
If there are more than one certificate, they are separated by a "`;`".
|
||||
|
||||
!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
|
||||
|
||||
The header size limit of web servers is commonly between 4kb and 8kb.
|
||||
You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
|
||||
|
||||
### `info`
|
||||
|
||||
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||
The value of the header will be an escaped concatenation of all the selected certificate details.
|
||||
|
||||
The following example shows an unescaped result that uses all the available fields:
|
||||
|
||||
```text
|
||||
|
|
@ -300,6 +335,7 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
|
|||
#### `info.notafter`
|
||||
|
||||
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
|
||||
|
||||
The data are taken from the following certificate part:
|
||||
|
||||
```text
|
||||
|
|
@ -333,6 +369,7 @@ NB=1544094616
|
|||
#### `info.sans`
|
||||
|
||||
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
|
||||
|
||||
The data are taken from the following certificate part:
|
||||
|
||||
```text
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue