Traefik:覆盖某些默认TLS选项的问题

编程问答 2022-08-15

问题描述

如果这个问题已经得到解决,我事先表示歉意,但是我找不到任何东西。

我使用traefik 2.2.1版。

我有2条路由safe.example.comexample.com分别指向不同的服务:第一个路由要求提供客户端证书,而另一条路由则不需要。

我还想使用let'encrypt获得对以下两种路由均有效的证书:CN: example.comSAN: example.com,safe.example.com

Traefik具有两个入口点:web(http)和websecure(https)。 web入口点只是将所有请求重定向websecure

我希望safe路由要求客户端证书(safe TLS选项)而不损害证书解析器(default TLS选项):当我设置TLS选项字段时在路由器级别,根据我在文档https://docs.traefik.io/v2.2/routing/entrypoints/#tls中阅读的内容,根本不会应用认配置(在入口点级别应用)。我说的对吗?

我不想弄乱我的配置,因此在尝试应用此配置之前,我想特别确定一下。预先感谢。

这是我的配置:

  • 静态

[providers]

[providers.file]

directory = "/etc/traefik/dynamic/"

watch = true

[entryPoints]

[entryPoints.web]

address = ":80"

[entryPoints.web.http.redirections]

[entryPoints.web.http.redirections.entryPoint]

to = "websecure"

[entryPoints.websecure]

address = ":443"

[entryPoints.websecure.http.tls]

options = "default"

certResolver = "letsenc"

[[entryPoints.websecure.http.tls.domains]]

main = "example.com"

sans = ["safe.example.com"]

[api]

insecure = false

dashboard = true

debug = false

[certificatesResolvers]

[certificatesResolvers.letsenc]

[certificatesResolvers.letsenc.acme]

email = "[email protected]"

storage = "/etc/traefik/acme.json"

[certificatesResolvers.letsenc.acme.httpChallenge]

entryPoint = "web"
  • 动态

[http.routers]

[http.routers.app]

rule = "Host(`example.com`)"

service = "app"

entryPoints = ["websecure"]

[http.routers.safe]

rule = "Host(`safe.example.com`)"

service = "safe"

entryPoints = ["websecure"]

[http.routers.safe.tls]

options = "safe"

[http.services]

[http.services.app.loadBalancer]

[[http.services.app.loadBalancer.servers]]

url = "http://app:3000"

[http.services.safe.loadBalancer]

[[http.services.safe.loadBalancer.servers]]

url = "http://safe:3000"

[tls.options]

[tls.options.default]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_poly1305","TLS_ECDHE_RSA_WITH_CHACHA20_poly1305"

]

[tls.options.safe]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_poly1305"

]

[tls.options.safe.clientAuth]

caFiles = ["/etc/traefik/certs/ca.cert.pem"]

clientAuthType = "RequireAndVerifyClientCert"

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

client-certificateshttpshttpslets-encryptssltraefik