TLS

传输层安全

Certificates Definition

Automated

请参阅" 加密"页面.

User defined

要添加/删除TLS证书,即使已经运行Traefik,也可以在[[tls.certificates]]部分[[tls.certificates]]其定义添加到动态配置中:

# Dynamic configuration

[[tls.certificates]]
  certFile = "/path/to/domain.cert"
  keyFile = "/path/to/domain.key"

[[tls.certificates]]
  certFile = "/path/to/other-domain.cert"
  keyFile = "/path/to/other-domain.key"
# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

Restriction

在上面的示例中,我们使用了文件提供程序来处理这些定义. 这是配置证书(以及选件和存储)的唯一可用方法. 但是,在Kubernetes中 ,证书可以而且必须由秘密提供.

Certificates Stores

在Traefik中,证书在证书存储区中分组在一起,其定义如下:

# Dynamic configuration

[tls.stores]
  [tls.stores.default]
# Dynamic configuration

tls:
  stores:
    default: {}

Restriction

除了默认定义(命名为default )以外的任何存储定义都将被忽略,因此只有一个全局可用的TLS存储.

然后在tls.certificates部分中,可以指定存储列表以指示证书的存储位置:

# Dynamic configuration

[[tls.certificates]]
  certFile = "/path/to/domain.cert"
  keyFile = "/path/to/domain.key"
  stores = ["default"]

[[tls.certificates]]
  # Note that since no store is defined,
  # the certificate below will be stored in the `default` store.
  certFile = "/path/to/other-domain.cert"
  keyFile = "/path/to/other-domain.key"
# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
      stores:
        - default
    # Note that since no store is defined,
    # the certificate below will be stored in the `default` store.
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

Restriction

stores列表实际上将被忽略,并自动设置为["default"] .

Default Certificate

对于没有SNI或没有匹配域的连接,Traefik可以使用默认证书. 此默认证书应在TLS存储中定义:

# Dynamic configuration

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "path/to/cert.crt"
      keyFile  = "path/to/cert.key"
# Dynamic configuration

tls:
  stores:
    default:
      defaultCertificate:
        certFile: path/to/cert.crt
        keyFile: path/to/cert.key

如果未提供默认证书,则Traefik会生成并使用自签名证书.

TLS Options

TLS选项允许您配置TLS连接的某些参数.

Minimum TLS Version

# Dynamic configuration

[tls.options]

  [tls.options.default]
    minVersion = "VersionTLS12"

  [tls.options.mintls13]
    minVersion = "VersionTLS13"
# Dynamic configuration

tls:
  options:
    default:
      minVersion: VersionTLS12

    mintls13:
      minVersion: VersionTLS13
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mintls13
  namespace: default

spec:
  minVersion: VersionTLS13

Maximum TLS Version

我们不鼓励使用此设置禁用TLS1.3.

正确的方法是更新客户端以支持TLS1.3.

# Dynamic configuration

[tls.options]

  [tls.options.default]
    maxVersion = "VersionTLS13"

  [tls.options.maxtls12]
    maxVersion = "VersionTLS12"
# Dynamic configuration

tls:
  options:
    default:
      maxVersion: VersionTLS13

    maxtls12:
      maxVersion: VersionTLS12
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  maxVersion: VersionTLS13

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: maxtls12
  namespace: default

spec:
  maxVersion: VersionTLS12

Cipher Suites

有关更多信息,请参见cipherSuites .

# Dynamic configuration

[tls.options]
  [tls.options.default]
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    ]
# Dynamic configuration

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS 1.3

为TLS 1.2及以下版本定义的密码套件不能在TLS 1.3中使用,反之亦然. ( https://tools.ietf.org/html/rfc8446
使用TLS 1.3,密码套件不可配置(在这种情况下,所有受支持的密码套件都是安全的). https://golang.org/doc/go1.12#tls_1_3

Curve Preferences

此选项允许按特定顺序设置首选椭圆曲线.

可以使用由crypto定义的曲线名称(例如CurveP521 )和RFC定义的名称 (例如secp521r1 ).

有关更多信息,请参见CurveID .

# Dynamic configuration

[tls.options]
  [tls.options.default]
    curvePreferences = ["CurveP521", "CurveP384"]
# Dynamic configuration

tls:
  options:
    default:
      curvePreferences:
        - CurveP521
        - CurveP384
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  curvePreferences:
    - CurveP521
    - CurveP384

Strict SNI Checking

通过严格的SNI检查,Traefik将不允许来自未指定server_name扩展名的客户端连接的连接.

# Dynamic configuration

[tls.options]
  [tls.options.default]
    sniStrict = true
# Dynamic configuration

tls:
  options:
    default:
      sniStrict: true
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  sniStrict: true

Client Authentication (mTLS)

Traefik通过clientAuth部分支持相互认证.

对于需要验证客户端证书的身份验证策略,应在clientAuth.caFiles设置证书的证书颁发机构.

clientAuth.clientAuthType选项控制行为,如下所示:

  • NoClientCert :忽略任何客户端证书.
  • RequestClientCert :要求提供证书,但是如果没有提供证书,则继续进行.
  • RequireAnyClientCert :需要证书,但不验证它是否由clientAuth.caFiles列出的CA签名.
  • VerifyClientCertIfGiven :如果提供了证书,则验证它是否由clientAuth.caFiles列出的CA签名. 否则继续进行,无需任何证书.
  • RequireAndVerifyClientCert :需要证书,必须由clientAuth.caFiles列出的CA签名.
# Dynamic configuration

[tls.options]
  [tls.options.default]
    [tls.options.default.clientAuth]
      # in PEM format. each file can contain multiple CAs.
      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
      clientAuthType = "RequireAndVerifyClientCert"
# Dynamic configuration

tls:
  options:
    default:
      clientAuth:
        # in PEM format. each file can contain multiple CAs.
        caFiles:
          - tests/clientca1.crt
          - tests/clientca2.crt
        clientAuthType: RequireAndVerifyClientCert
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  clientAuth:
    secretNames:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert