I am trying to setup Traefik to do SSL client certificates much like how I used to do it with Apache. But I can't seem to get it working correctly. I'm using Docker as well, here's the command parameters
command:
- --defaultEntryPoints=http,https
- --insecureSkipVerify
- "--entryPoints=Name:http Address::80 Compress:true Redirect.entryPoint:https"
# This one works with no authentication
- "--entryPoints=Name:https Address::443 Compress:true TLS"
# These don't seem to do anything
- "--entryPoints=Name:https Address::443 Compress:true TLS CA.Optional:false CA:/run/secrets/CA"
- --ping
- --docker
- --docker.endpoint=tcp://daemon:2375
- --docker.exposedByDefault=false
- --docker.swarmMode
- --docker.watch
- --acme
- --acme.email=REDACTED@trajano.net
- --acme.onhostrule
- --acme.entrypoint=https
- --acme.httpchallenge
- --acme.httpchallenge.entrypoint=http
- --zookeeper.endpoint=zookeeper:2181
- --zookeeper.prefix=traefik
- --acme.storage=traefik/acme/acme.json
Actually it was CA.Optional and CA after all. I was using Firefox which auto-selected the certificate and when I was using Chrome, it was using the cached content. So when I cleared the browser cache things started working.
Note this approach only validates that the Client cert was signed by the CA, but does not perform any extra checks like what is the subject being used. That's a limitation of Traefik 1.7 at the moment from what I understand.