Define a TLS section to group TLS, TLSOptions, and TLSStores.

Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
This commit is contained in:
Ludovic Fernandez 2019-06-27 23:58:03 +02:00 committed by Traefiker Bot
parent c9b2a07bc7
commit 4245096be4
52 changed files with 717 additions and 628 deletions

View file

@ -11,18 +11,16 @@ See the [Let's Encrypt](./acme.md) page.
### User defined
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls]]` section:
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
```toml
[[tls]]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "File Provider Only"
@ -35,8 +33,8 @@ To add / remove TLS certificates, even when Traefik is already running, their de
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
```toml
[tlsStores]
[tlsStores.default]
[tls.stores]
[tls.stores.default]
```
!!! important "Alpha restriction"
@ -44,21 +42,19 @@ In Traefik, certificates are grouped together in certificates stores, which are
During the alpha version, any store definition other than the default one (named `default`) will be ignored,
and there is thefore only one globally available TLS store.
In the `[[tls]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
In the `[[tls.certificates]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
```toml
[[tls]]
[[tls.certificates]]
stores = ["default"]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "Alpha restriction"
@ -71,9 +67,9 @@ Traefik can use a default certificate for connections without a SNI, or without
This default certificate should be defined in a TLS store:
```toml
[tlsStores]
[tlsStores.default]
[tlsStores.default.defaultCertificate]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
@ -87,12 +83,12 @@ The TLS options allow one to configure some parameters of the TLS connection.
### Minimum TLS Version
```toml
[tlsOptions]
[tls.options]
[tlsOptions.default]
[tls.options.default]
minVersion = "VersionTLS12"
[tlsOptions.mintls13]
[tls.options.mintls13]
minVersion = "VersionTLS13"
```
@ -107,9 +103,9 @@ For clients with a certificate, the `optional` option governs the behaviour as f
- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
```toml
[tlsOptions]
[tlsOptions.default]
[tlsOptions.default.ClientCA]
[tls.options]
[tls.options.default]
[tls.options.default.ClientCA]
# in PEM format. each file can contain multiple CAs.
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
@ -120,8 +116,8 @@ For clients with a certificate, the `optional` option governs the behaviour as f
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
```toml
[tlsOptions]
[tlsOptions.default]
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
@ -134,7 +130,7 @@ With strict SNI checking, Traefik won't allow connections from clients connectio
that do not specify a server_name extension.
```toml
[tlsOptions]
[tlsOptions.default]
[tls.options]
[tls.options.default]
sniStrict = true
```

View file

@ -192,16 +192,15 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
{{ end }}
{{ range $i, $e := until 10 }}
[[TLS]]
[[tls.certificates]]
CertFile = "/etc/traefik/cert-{{ $e }}.pem"
KeyFile = "/etc/traefik/cert-{{ $e }}.key"
Store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
[TLS.Certificate]
CertFile = "/etc/traefik/cert-{{ $e }}.pem"
KeyFile = "/etc/traefik/cert-{{ $e }}.key"
{{ end }}
[TLSConfig]
[tls.config]
{{ range $i, $e := until 10 }}
[TLSConfig.TLS{{ $e }}]
[tls.config.TLS{{ $e }}]
# ...
{{ end }}
```
@ -237,11 +236,11 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
{{ range $i, $e := until 10 }}
tls:
store:
- "my-store-foo-{{ $e }}"
- "my-store-bar-{{ $e }}"
certificate:
certfile: "/etc/traefik/cert-{{ $e }}.pem"
certificates:
- certfile: "/etc/traefik/cert-{{ $e }}.pem"
keyfile: "/etc/traefik/cert-{{ $e }}.key"
store:
- "my-store-foo-{{ $e }}"
- "my-store-bar-{{ $e }}"
{{end}}
```

View file

@ -220,42 +220,40 @@
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
[TLS]
[[TLS.Certificates]]
Stores = ["foobar", "foobar"]
CertFile = "foobar"
KeyFile = "foobar"
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
[[TLS.Certificates]]
Stores = ["foobar", "foobar"]
CertFile = "foobar"
KeyFile = "foobar"
[TLSOptions]
[TLS.Options]
[TLS.Options.TLS0]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLS.Options.TLS0.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLS.Options.TLS1]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLS.Options.TLS1.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSOptions.TLS0]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS0.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSOptions.TLS1]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS1.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSStores]
[TLSStores.Store0]
[TLSStores.Store0.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLSStores.Store1]
[TLSStores.Store1.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLS.Stores]
[TLS.Stores.Store0]
[TLS.Stores.Store0.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLS.Stores.Store1]
[TLS.Stores.Store1.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"

View file

@ -207,7 +207,7 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
#### `Options`
The `Options` field enables fine-grained control of the TLS parameters.
It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
??? example "Configuring the tls options"
@ -219,8 +219,8 @@ It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied
[http.routers.Router-1.tls] # will terminate the TLS request
options = "foo"
[tlsOptions]
[tlsOptions.foo]
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@ -338,7 +338,7 @@ Services are the target for the router.
#### `Options`
The `Options` field enables fine-grained control of the TLS parameters.
It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
??? example "Configuring the tls options"
@ -350,8 +350,8 @@ It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied
[tcp.routers.Router-1.tls] # will terminate the TLS request
options = "foo"
[tlsOptions]
[tlsOptions.foo]
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",