TLS

    See the Let’s Encrypt page.

    User defined

    To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the dynamic configuration, in the section:

    File (YAML)

    File (TOML)

    1. # Dynamic configuration
    3. [[tls.certificates]]
    4.   certFile = "/path/to/domain.cert"
    5.   keyFile = "/path/to/domain.key"
    7. [[tls.certificates]]
    8.   certFile = "/path/to/other-domain.cert"
    9.   keyFile = "/path/to/other-domain.key"

    Restriction

    In the above example, we’ve used the to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by .

    In Traefik, certificates are grouped together in certificates stores, which are defined as such:

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   stores:
    5.     default: {}

    File (TOML)

    1. # Dynamic configuration
    3. [tls.stores]
    4.   [tls.stores.default]

    Restriction

    Any store definition other than the default one (named default) will be ignored, and there is therefore only one globally available TLS store.

    In the tls.certificates section, a list of stores can then be specified to indicate where the certificates should be stored:

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   certificates:
    5.     - certFile: /path/to/domain.cert
    6.       keyFile: /path/to/domain.key
    7.       stores:
    8.         - default
    9.     # Note that since no store is defined,
    10.     # the certificate below will be stored in the `default` store.
    11.     - certFile: /path/to/other-domain.cert
    12.       keyFile: /path/to/other-domain.key

    File (TOML)

    1. # Dynamic configuration
    3. [[tls.certificates]]
    4.   certFile = "/path/to/domain.cert"
    5.   keyFile = "/path/to/domain.key"
    6.   stores = ["default"]
    8. [[tls.certificates]]
    9.   # Note that since no store is defined,
    10.   # the certificate below will be stored in the `default` store.
    11.   certFile = "/path/to/other-domain.cert"
    12.   keyFile = "/path/to/other-domain.key"

    Restriction

    The stores list will actually be ignored and automatically set to ["default"].

    Default Certificate

    Traefik can use a default certificate for connections without a SNI, or without a matching domain. This default certificate should be defined in a TLS store:

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   stores:
    5.     default:
    6.       defaultCertificate:
    7.         certFile: path/to/cert.crt
    8.         keyFile: path/to/cert.key

    File (TOML)

    1. # Dynamic configuration
    3. [tls.stores]
    4.   [tls.stores.default]
    5.     [tls.stores.default.defaultCertificate]
    6.       certFile = "path/to/cert.crt"
    7.       keyFile  = "path/to/cert.key"

    If no default certificate is provided, Traefik generates and uses a self-signed certificate.

    ‘default’ TLS Option

    The default option is special. When no tls options are specified in a tls router, the default option is used.
    When specifying the default option explicitly, make sure not to specify provider namespace as the default option does not have one.
    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label, you must specify the provider namespace, for example:
    traefik.http.routers.myrouter.tls.options=myoptions@file

    TLSOptions in Kubernetes

    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that, if not explicitly overwritten, should apply to all ingresses.
    To achieve that, you’ll have to create a TLSOptions CR with the name default. There may exist only one TLSOption with the name default (across all namespaces) - otherwise they will be dropped.
    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you’ll have to add an annotation to the Ingress in the following form: traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       minVersion: VersionTLS12
    8.     mintls13:
    9.       minVersion: VersionTLS13

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    5.     minVersion = "VersionTLS12"
    7.   [tls.options.mintls13]

    Kubernetes

    Maximum TLS Version

    We discourage the use of this setting to disable TLS1.3.

    The recommended approach is to update the clients to support TLS1.3.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       maxVersion: VersionTLS13
    8.     maxtls12:
    9.       maxVersion: VersionTLS12

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    5.   [tls.options.default]
    6.     maxVersion = "VersionTLS13"
    8.   [tls.options.maxtls12]
    9.     maxVersion = "VersionTLS12"

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   maxVersion: VersionTLS13
    10. ---
    11. apiVersion: traefik.containo.us/v1alpha1
    12. kind: TLSOption
    13. metadata:
    14.   name: maxtls12
    15.   namespace: default
    17. spec:
    18.   maxVersion: VersionTLS12

    Cipher Suites

    See for more information.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       cipherSuites:
    7.         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    4.   [tls.options.default]
    5.     cipherSuites = [
    6.       "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    7.     ]

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   cipherSuites:
    9.     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    TLS 1.3

    Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (https://tools.ietf.org/html/rfc8446)
    With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).

    This option allows to set the preferred elliptic curves in a specific order.

    The names of the curves defined by crypto (e.g. CurveP521) and the (e. g. secp521r1) can be used.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       curvePreferences:
    7.         - CurveP521
    8.         - CurveP384

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    4.   [tls.options.default]
    5.     curvePreferences = ["CurveP521", "CurveP384"]

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   curvePreferences:
    9.     - CurveP384

    Strict SNI Checking

    With strict SNI checking enabled, Traefik won’t allow connections from clients that do not specify a server_name extension or don’t match any certificate configured on the tlsOption.

    File (YAML)

    File (TOML)

    1. # Dynamic configuration
    4.   [tls.options.default]
    5.     sniStrict = true

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   sniStrict: true

    Prefer Server Cipher Suites

    This option allows the server to choose its most preferred cipher suite instead of the client’s. Please note that this is enabled automatically when minVersion or maxVersion are set.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       preferServerCipherSuites: true

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    4.   [tls.options.default]
    5.     preferServerCipherSuites = true

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   preferServerCipherSuites: true

    Optional, Default=”h2, http/1.1, acme-tls/1”

    This option allows to specify the list of supported application level protocols for the TLS handshake, in order of preference. If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       alpnProtocols:
    7.         - http/1.1
    8.         - h2

    File (TOML)

    1. # Dynamic configuration
    3. [tls.options]
    4.   [tls.options.default]
    5.     alpnProtocols = ["http/1.1", "h2"]

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   alpnProtocols:
    9.     - http/1.1
    10.     - h2

    Client Authentication (mTLS)

    Traefik supports mutual authentication, through the clientAuth section.

    For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in clientAuth.caFiles.

    The clientAuth.clientAuthType option governs the behaviour as follows:

    • NoClientCert: disregards any client certificate.
    • RequestClientCert: asks for a certificate but proceeds anyway if none is provided.
    • RequireAnyClientCert: requires a certificate but does not verify if it is signed by a CA listed in clientAuth.caFiles.
    • VerifyClientCertIfGiven: if a certificate is provided, verifies if it is signed by a CA listed in clientAuth.caFiles. Otherwise proceeds without any certificate.
    • RequireAndVerifyClientCert: requires a certificate, which must be signed by a CA listed in clientAuth.caFiles.

    File (YAML)

    1. # Dynamic configuration
    3. tls:
    4.   options:
    5.     default:
    6.       clientAuth:
    7.         # in PEM format. each file can contain multiple CAs.
    8.         caFiles:
    9.           - tests/clientca1.crt
    10.           - tests/clientca2.crt
    11.         clientAuthType: RequireAndVerifyClientCert

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: TLSOption
    3. metadata:
    4.   name: default
    5.   namespace: default
    7. spec:
    8.   clientAuth:
    9.     # the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
    10.     secretNames:
    12.     clientAuthType: RequireAndVerifyClientCert