Make the TLS certificates management dynamic.

2017-11-09 12:16:03 +01:00 · 2017-11-09 12:16:03 +01:00 · c469e669fd
commit c469e669fd
parent f6aa147c78
36 changed files with 1257 additions and 513 deletions
--- a/docs/configuration/backends/file.md
+++ b/docs/configuration/backends/file.md
@ -8,6 +8,8 @@ You have three choices:
 - [Rules in a Separate File](/configuration/backends/file/#rules-in-a-separate-file)
 - [Multiple `.toml` Files](/configuration/backends/file/#multiple-toml-files)

+The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Træfik).
+
 ## Simple

 Add your configuration at the end of the global configuration file `traefik.toml`:
@ -23,12 +25,9 @@ defaultEntryPoints = ["http", "https"]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
+      [[entryPoints.https.tls.certificates]]		
+      certFile = "integration/fixtures/https/snitest.org.cert"		
+      keyFile = "integration/fixtures/https/snitest.org.key"

 [file]

@ -81,8 +80,19 @@ defaultEntryPoints = ["http", "https"]
  entrypoints = ["http", "https"] # overrides defaultEntryPoints
  backend = "backend2"
  rule = "Path:/test"
+
+# HTTPS certificate
+[[tlsConfiguration]]
+entryPoints = ["https"]
+  [tlsConfiguration.certificate]
+    certFile = "integration/fixtures/https/snitest.com.cert"
+    keyFile = "integration/fixtures/https/snitest.com.key"
 ```

+!!! note
+    adding certificates directly to the entrypoint is still maintained but certificates declared in this way cannot be managed dynamically.
+    It's recommended to use the file provider to declare certificates.
+
 ## Rules in a Separate File

 Put your rules in a separate file, for example `rules.toml`:
@ -97,12 +107,6 @@ Put your rules in a separate file, for example `rules.toml`:
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"

 [file]
 filename = "rules.toml"
@ -149,11 +153,23 @@ filename = "rules.toml"
  entrypoints = ["http", "https"] # overrides defaultEntryPoints
  backend = "backend2"
  rule = "Path:/test"
+# HTTPS certificate
+[[tlsConfiguration]]
+entryPoints = ["https"]
+  [tlsConfiguration.certificate]
+    certFile = "integration/fixtures/https/snitest.com.cert"
+    keyFile = "integration/fixtures/https/snitest.com.key"
+
+[[tlsConfiguration]]
+entryPoints = ["https"]
+  [[tlsConfiguration.certificates]]
+  certFile = "integration/fixtures/https/snitest.org.cert"
+  keyFile = "integration/fixtures/https/snitest.org.key"
 ```

 ## Multiple `.toml` Files

-You could have multiple `.toml` files in a directory:
+You could have multiple `.toml` files in a directory (and recursively in its sub-directories):

 ```toml
 [file]
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@ -27,11 +27,11 @@ To redirect an http entrypoint to an https entrypoint (with SNI support).
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
+      certFile = "integration/fixtures/https/snitest.org.cert"
+      keyFile = "integration/fixtures/https/snitest.org.key"
 ```

 !!! note
@ -53,6 +53,23 @@ To redirect an entrypoint rewriting the URL.
 !!! note
    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).

+## TLS
+
+Define an entrypoint with SNI support.
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
+```
+
+!!! note
+    If an empty TLS configuration is done, default self-signed certificates are generated.
+
 ## TLS Mutual Authentication

 Only accept clients that present a certificate signed by a specified Certificate Authority (CA).
@ -71,11 +88,11 @@ In the example below both `snitest.com` and `snitest.org` will require client ce
  [entryPoints.https.tls]
  ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
    [[entryPoints.https.tls.certificates]]
-    CertFile = "integration/fixtures/https/snitest.com.cert"
-    KeyFile = "integration/fixtures/https/snitest.com.key"
+    certFile = "integration/fixtures/https/snitest.com.cert"
+    keyFile = "integration/fixtures/https/snitest.com.key"
    [[entryPoints.https.tls.certificates]]
-    CertFile = "integration/fixtures/https/snitest.org.cert"
-    KeyFile = "integration/fixtures/https/snitest.org.key"
+    certFile = "integration/fixtures/https/snitest.org.cert"
+    keyFile = "integration/fixtures/https/snitest.org.key"
 ```

 ## Authentication