Define a TLS section to group TLS, TLSOptions, and TLSStores.

Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
2019-06-27 23:58:03 +02:00 · 2019-06-27 23:58:03 +02:00 · 4245096be4
commit 4245096be4
parent c9b2a07bc7
52 changed files with 717 additions and 628 deletions
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@ -11,18 +11,16 @@ See the [Let's Encrypt](./acme.md) page.

 ### User defined

-To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls]]` section:
+To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:

 ```toml
-[[tls]]
-  [tls.certificate]
-    certFile = "/path/to/domain.cert"
-    keyFile = "/path/to/domain.key"
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"

-[[tls]]
-  [tls.certificate]
-    certFile = "/path/to/other-domain.cert"
-    keyFile = "/path/to/other-domain.key"
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
 ```

 !!! important "File Provider Only"
@ -35,8 +33,8 @@ To add / remove TLS certificates, even when Traefik is already running, their de
 In Traefik, certificates are grouped together in certificates stores, which are defined as such:

 ```toml
-[tlsStores]
-  [tlsStores.default]
+[tls.stores]
+  [tls.stores.default]
 ```

 !!! important "Alpha restriction"
@ -44,21 +42,19 @@ In Traefik, certificates are grouped together in certificates stores, which are
    During the alpha version, any store definition other than the default one (named `default`) will be ignored,
    and there is thefore only one globally available TLS store.

-In the `[[tls]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
+In the `[[tls.certificates]]` section, a list of stores can then be specified to indicate where the certificates should be stored:

 ```toml
-[[tls]]
+[[tls.certificates]]
  stores = ["default"]
-  [tls.certificate]
-    certFile = "/path/to/domain.cert"
-    keyFile = "/path/to/domain.key"
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"

-[[tls]]
+[[tls.certificates]]
  # Note that since no store is defined,
  # the certificate below will be stored in the `default` store.
-  [tls.certificate]
-    certFile = "/path/to/other-domain.cert"
-    keyFile = "/path/to/other-domain.key"
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
 ```

 !!! important "Alpha restriction"
@ -71,9 +67,9 @@ Traefik can use a default certificate for connections without a SNI, or without
 This default certificate should be defined in a TLS store:

 ```toml
-[tlsStores]
-  [tlsStores.default]
-    [tlsStores.default.defaultCertificate]
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
      certFile = "path/to/cert.crt"
      keyFile  = "path/to/cert.key"
 ```
@ -87,12 +83,12 @@ The TLS options allow one to configure some parameters of the TLS connection.
 ### Minimum TLS Version

 ```toml
-[tlsOptions]
+[tls.options]

-  [tlsOptions.default]
+  [tls.options.default]
    minVersion = "VersionTLS12"

-  [tlsOptions.mintls13]
+  [tls.options.mintls13]
    minVersion = "VersionTLS13"
 ```

@ -107,9 +103,9 @@ For clients with a certificate, the `optional` option governs the behaviour as f
 - When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.

 ```toml
-[tlsOptions]
-  [tlsOptions.default]
-    [tlsOptions.default.ClientCA]
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.ClientCA]
      # in PEM format. each file can contain multiple CAs.
      files = ["tests/clientca1.crt", "tests/clientca2.crt"]
      optional = false
@ -120,8 +116,8 @@ For clients with a certificate, the `optional` option governs the behaviour as f
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.

 ```toml
-[tlsOptions]
-  [tlsOptions.default]
+[tls.options]
+  [tls.options.default]
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384"
@ -134,7 +130,7 @@ With strict SNI checking, Traefik won't allow connections from clients connectio
 that do not specify a server_name extension.

 ```toml
-[tlsOptions]
-  [tlsOptions.default]
+[tls.options]
+  [tls.options.default]
    sniStrict = true
 ```
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@ -192,16 +192,15 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
      {{ end }}  
    
    {{ range $i, $e := until 10 }}
-    [[TLS]]
+    [[tls.certificates]]
+      CertFile = "/etc/traefik/cert-{{ $e }}.pem"
+      KeyFile = "/etc/traefik/cert-{{ $e }}.key"
      Store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
-      [TLS.Certificate]
-        CertFile = "/etc/traefik/cert-{{ $e }}.pem"
-        KeyFile = "/etc/traefik/cert-{{ $e }}.key"
    {{ end }}
    
-    [TLSConfig]
+    [tls.config]
    {{ range $i, $e := until 10 }}
-      [TLSConfig.TLS{{ $e }}]
+      [tls.config.TLS{{ $e }}]
      # ...
    {{ end }}
    ```
@ -237,11 +236,11 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
    
    {{ range $i, $e := until 10 }}
    tls:
-      store:
-      - "my-store-foo-{{ $e }}"
-      - "my-store-bar-{{ $e }}"
-      certificate:
-        certfile: "/etc/traefik/cert-{{ $e }}.pem"
+      certificates:
+      - certfile: "/etc/traefik/cert-{{ $e }}.pem"
        keyfile: "/etc/traefik/cert-{{ $e }}.key"
+        store:
+        - "my-store-foo-{{ $e }}"
+        - "my-store-bar-{{ $e }}"
    {{end}}
    ```
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -220,42 +220,40 @@
        [[TCP.Services.TCPService0.LoadBalancer.Servers]]
          Address = "foobar"

-[[TLS]]
-  Stores = ["foobar", "foobar"]
-  [TLS.Certificate]
+[TLS]
+
+  [[TLS.Certificates]]
+    Stores = ["foobar", "foobar"]
    CertFile = "foobar"
    KeyFile = "foobar"

-[[TLS]]
-  Stores = ["foobar", "foobar"]
-  [TLS.Certificate]
+  [[TLS.Certificates]]
+    Stores = ["foobar", "foobar"]
    CertFile = "foobar"
    KeyFile = "foobar"

-[TLSOptions]
+  [TLS.Options]
+    [TLS.Options.TLS0]
+      MinVersion = "foobar"
+      CipherSuites = ["foobar", "foobar"]
+      SniStrict = true
+      [TLS.Options.TLS0.ClientCA]
+        Files = ["foobar", "foobar"]
+        Optional = true
+    [TLS.Options.TLS1]
+      MinVersion = "foobar"
+      CipherSuites = ["foobar", "foobar"]
+      SniStrict = true
+      [TLS.Options.TLS1.ClientCA]
+        Files = ["foobar", "foobar"]
+        Optional = true

-  [TLSOptions.TLS0]
-    MinVersion = "foobar"
-    CipherSuites = ["foobar", "foobar"]
-    SniStrict = true
-    [TLSOptions.TLS0.ClientCA]
-      Files = ["foobar", "foobar"]
-      Optional = true
-  [TLSOptions.TLS1]
-    MinVersion = "foobar"
-    CipherSuites = ["foobar", "foobar"]
-    SniStrict = true
-    [TLSOptions.TLS1.ClientCA]
-      Files = ["foobar", "foobar"]
-      Optional = true
-
-[TLSStores]
-
-  [TLSStores.Store0]
-    [TLSStores.Store0.DefaultCertificate]
-      CertFile = "foobar"
-      KeyFile = "foobar"
-  [TLSStores.Store1]
-    [TLSStores.Store1.DefaultCertificate]
-      CertFile = "foobar"
-      KeyFile = "foobar"
+  [TLS.Stores]
+    [TLS.Stores.Store0]
+      [TLS.Stores.Store0.DefaultCertificate]
+        CertFile = "foobar"
+        KeyFile = "foobar"
+    [TLS.Stores.Store1]
+      [TLS.Stores.Store1.DefaultCertificate]
+        CertFile = "foobar"
+        KeyFile = "foobar"
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@ -207,7 +207,7 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
 #### `Options`

 The `Options` field enables fine-grained control of the TLS parameters.  
-It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
+It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.

 ??? example "Configuring the tls options"

@ -219,8 +219,8 @@ It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied
          [http.routers.Router-1.tls] # will terminate the TLS request
            options = "foo"
    
-    [tlsOptions]
-      [tlsOptions.foo]
+    [tls.options]
+      [tls.options.foo]
          minVersion = "VersionTLS12"
          cipherSuites = [
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@ -338,7 +338,7 @@ Services are the target for the router.
 #### `Options`

 The `Options` field enables fine-grained control of the TLS parameters.  
-It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
+It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.

 ??? example "Configuring the tls options"

@ -350,8 +350,8 @@ It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied
          [tcp.routers.Router-1.tls] # will terminate the TLS request
            options = "foo"
    
-    [tlsOptions]
-      [tlsOptions.foo]
+    [tls.options]
+      [tls.options.foo]
          minVersion = "VersionTLS12"
          cipherSuites = [
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",