mirror of
https://github.com/containous/traefik.git
synced 2024-12-24 21:34:39 +03:00
Allow PreferServerCipherSuites as a TLS Option
This commit is contained in:
parent
94b2b6393f
commit
7c430e5c9d
@ -347,6 +347,39 @@ spec:
|
||||
sniStrict: true
|
||||
```
|
||||
|
||||
### Prefer Server Cipher Suites
|
||||
|
||||
This option allows the server to choose its most preferred cipher suite instead of the client's.
|
||||
Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
# Dynamic configuration
|
||||
|
||||
[tls.options]
|
||||
[tls.options.default]
|
||||
preferServerCipherSuites = true
|
||||
```
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
# Dynamic configuration
|
||||
|
||||
tls:
|
||||
options:
|
||||
default:
|
||||
preferServerCipherSuites: true
|
||||
```
|
||||
|
||||
```yaml tab="Kubernetes"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: default
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
preferServerCipherSuites: true
|
||||
```
|
||||
|
||||
### Client Authentication (mTLS)
|
||||
|
||||
Traefik supports mutual authentication, through the `clientAuth` section.
|
||||
|
@ -357,6 +357,7 @@
|
||||
cipherSuites = ["foobar", "foobar"]
|
||||
curvePreferences = ["foobar", "foobar"]
|
||||
sniStrict = true
|
||||
preferServerCipherSuites = true
|
||||
[tls.options.Options0.clientAuth]
|
||||
caFiles = ["foobar", "foobar"]
|
||||
clientAuthType = "foobar"
|
||||
@ -366,6 +367,7 @@
|
||||
cipherSuites = ["foobar", "foobar"]
|
||||
curvePreferences = ["foobar", "foobar"]
|
||||
sniStrict = true
|
||||
preferServerCipherSuites = true
|
||||
[tls.options.Options1.clientAuth]
|
||||
caFiles = ["foobar", "foobar"]
|
||||
clientAuthType = "foobar"
|
||||
|
@ -397,6 +397,7 @@ tls:
|
||||
- foobar
|
||||
clientAuthType: foobar
|
||||
sniStrict: true
|
||||
preferServerCipherSuites: true
|
||||
Options1:
|
||||
minVersion: foobar
|
||||
maxVersion: foobar
|
||||
@ -412,6 +413,7 @@ tls:
|
||||
- foobar
|
||||
clientAuthType: foobar
|
||||
sniStrict: true
|
||||
preferServerCipherSuites: true
|
||||
stores:
|
||||
Store0:
|
||||
defaultCertificate:
|
||||
|
@ -155,3 +155,27 @@ spec:
|
||||
options:
|
||||
name: myTLSOption
|
||||
namespace: default
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: tlsoption
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
minVersion: foobar
|
||||
maxVersion: foobar
|
||||
cipherSuites:
|
||||
- foobar
|
||||
- foobar
|
||||
curvePreferences:
|
||||
- foobar
|
||||
- foobar
|
||||
clientAuth:
|
||||
caFiles:
|
||||
- foobar
|
||||
- foobar
|
||||
clientAuthType: foobar
|
||||
sniStrict: true
|
||||
preferServerCipherSuites: true
|
||||
|
@ -230,3 +230,27 @@ spec:
|
||||
options:
|
||||
name: myTLSOption
|
||||
namespace: default
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: tlsoption
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
minVersion: foobar
|
||||
maxVersion: foobar
|
||||
cipherSuites:
|
||||
- foobar
|
||||
- foobar
|
||||
curvePreferences:
|
||||
- foobar
|
||||
- foobar
|
||||
clientAuth:
|
||||
caFiles:
|
||||
- foobar
|
||||
- foobar
|
||||
clientAuthType: foobar
|
||||
sniStrict: true
|
||||
preferServerCipherSuites: true
|
||||
|
@ -233,6 +233,7 @@
|
||||
| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
|
||||
| `traefik/tls/options/Options0/maxVersion` | `foobar` |
|
||||
| `traefik/tls/options/Options0/minVersion` | `foobar` |
|
||||
| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
|
||||
| `traefik/tls/options/Options0/sniStrict` | `true` |
|
||||
| `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
|
||||
| `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
|
||||
@ -243,6 +244,7 @@
|
||||
| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
|
||||
| `traefik/tls/options/Options1/maxVersion` | `foobar` |
|
||||
| `traefik/tls/options/Options1/minVersion` | `foobar` |
|
||||
| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
|
||||
| `traefik/tls/options/Options1/sniStrict` | `true` |
|
||||
| `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
|
||||
| `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
|
||||
|
@ -35,7 +35,7 @@ spec:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
preferServerCipherSuites: true
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
@ -35,6 +35,7 @@ spec:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
preferServerCipherSuites: true
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
@ -501,7 +501,8 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
||||
CAFiles: clientCAs,
|
||||
ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType,
|
||||
},
|
||||
SniStrict: tlsOption.Spec.SniStrict,
|
||||
SniStrict: tlsOption.Spec.SniStrict,
|
||||
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
|
||||
}
|
||||
}
|
||||
return tlsOptions
|
||||
|
@ -423,7 +423,8 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
||||
},
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
SniStrict: true,
|
||||
PreferServerCipherSuites: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -1896,7 +1897,8 @@ func TestLoadIngressRoutes(t *testing.T) {
|
||||
},
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
SniStrict: true,
|
||||
PreferServerCipherSuites: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -19,12 +19,13 @@ type TLSOption struct {
|
||||
|
||||
// TLSOptionSpec configures TLS for an entry point
|
||||
type TLSOptionSpec struct {
|
||||
MinVersion string `json:"minVersion,omitempty"`
|
||||
MaxVersion string `json:"maxVersion,omitempty"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty"`
|
||||
MinVersion string `json:"minVersion,omitempty"`
|
||||
MaxVersion string `json:"maxVersion,omitempty"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty"`
|
||||
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
@ -16,12 +16,13 @@ type ClientAuth struct {
|
||||
|
||||
// Options configures TLS for an entry point
|
||||
type Options struct {
|
||||
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
||||
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
||||
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
||||
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
||||
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
@ -219,6 +219,9 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
|
||||
}
|
||||
}
|
||||
|
||||
// Set PreferServerCipherSuites.
|
||||
conf.PreferServerCipherSuites = tlsOption.PreferServerCipherSuites
|
||||
|
||||
// Set the minimum TLS version if set in the config
|
||||
if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
|
||||
conf.PreferServerCipherSuites = true
|
||||
|
Loading…
Reference in New Issue
Block a user