Traefik-based aggressive TLS security configuration practices

preface

Traefikis a modern HTTP reverse proxy and load balancer that makes it easy to deploy microservices.

Traefik can be integrated with multiple existing infrastructure components (Docker, Swarm pattern, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS…). Integrate and configure yourself automatically and dynamically.

Today we are using Traefik on K8S to detail how to “aggressively” configure TLS security.

Basic information about the environment

1. K8S cluster;
2. Domain name:e-whisper.com(DNSPod managed by DNSPod, pointed to the public address of the LoadBalancer of Traefik Ingress of the K8S cluster)
3. Certificates that are managed automatically using cert-manager *.e-whisper.com as Traefik’s default certificate; cert-manager is located at cert-manager NameSpace
4. Traefik 2.4.8 is installed on a K8S cluster kube-system NameSpace and configured with CRDs.

“Aggressive” TLS configuration

Site-wide trusted certificate + HTTPS. The details are as follows:

1. Site-wide HTTPS 443 port configuration;
2. Certificate from Let’s Encrypt (automatically applied by cert-manager) (⚡ radical, production with caution!). ）
3. Listen for HTTP requests and redirect to HTTPS; (⚡ Radical, use sparing!) ）
4. Enable HSTS functionality (⚡ aggressive, use sparing!) ）
5. TLS version limited to TLS 1.3 (⚡ aggressive, production with caution!). ）

Configuration practices

The TLS version is limited to TLS 1.3

CRD with Traefik - TLSOption The configuration is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: kube-system

spec:
  minVersion: VersionTLS13

💡 illustrate：

• minVersion: VersionTLS13 Specify a minimum version of TLS as TLS 1.3.

⚠️ Warning:

Just in case, recommended namespace: kube-system Be consistent with the ns where Traefik is located.

certificate

CRD with Traefik - TLSStore The configuration is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: cert-manager

spec:
  defaultCertificate:
    secretName: ewhisper-crt-secret

💡 illustrate：

• secretName: ewhisper-crt-secret This is where cert-manager automatically requests certificates from Let’s Encrypt (cert-manager is responsible for automatically updating the certificate on a regular basis). Traefik uses this certificate as the default.

⚠️ Warning:

TLSStore, attention namespace: cert-manager You must be in the NameSpace where the certificate’s secret is located.

Next 2 features:

1. HTTP redirects to HTTPS
2. Enable HSTS

All via Traefik CRD - Middleware to configure.

HTTP redirects to HTTPS

Traefik CRD Middleware - redirectshttps The configuration is as follows:

# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirectshttps
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: true

💡 illustrate：

• redirectScheme: Protocol redirection
• scheme: https: The HTTP protocol is redirected to HTTPS
• permanent: true: Set to true to apply a permanent redirect.

Enable HSTS

Traefik CRD Middleware - hsts-header The configuration is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: hsts-header
  namespace: kube-system
spec:
  headers:
    customResponseHeaders:
      Strict-Transport-Security: 'max-age=63072000'

• customResponseHeaders The name and value applied to the response header.
• Strict-Transport-Security: 'max-age=63072000': That is, the “HTTP strict transmission security” response header, the browser that receives the response header will visit the website within 63072000s (about 2 years), even if it is http, the browser will automatically jump to https. (HSTS is a browser-side redirect, and the previous “HTTP redirect to HTTPS” is a server-side redirect)

Specific domain name configuration

All of the above configurations, including:

1. The TLS version is limited to TLS 1.3
2. certificate
3. HTTP redirects to HTTPS
4. Enable HSTS

It’s all a global configuration, and then it’s domain-specific - here example.e-whisper.com to configure.

CRD with Traefik - IngressRoute The configuration is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: example
  namespace: cert-manager
spec:
  entryPoints:
    - websecure
    - web
  routes:
    - match: Host(`example.e-whisper.com`)
      kind: Rule
      middlewares:
        - name: hsts-header
          namespace: kube-system
        - name: redirectshttps
          namespace: kube-system
      services:
        - name: example
          namespace: default
          port: 8080
  tls: {}

💡 illustrate：

• entryPoints: EntryPoints is the network entry point into Traefik. They define the port on which packets will be received and whether TCP or UDP is listening. As shown in the following figure:

  
  Here entryPoints is a static configuration, which is directly statically configured in Traefik Deployment, as shown below:
  

  • entryPoint - traefik The address ports are::9000/tcp
  • entryPoint - web The address ports are::8000/tcp
  • entryPoint - websecure The address ports are::8443/tcp, and TLS is true
  • Then, via Serivce Type: LoadBalancer Exposed to the public network: ports 80 and 443 (as forentryPoint - traefik It has not been exposed through SVC, so it cannot be accessed even if IngressRoute is equipped), as follows:
    

• websecure Namely:example.e-whisper.com Can pass https://example.e-whisper.com:443 Visit;

• web Namely:example.e-whisper.com Can pass http://example.e-whisper.com:80 Visit;

• kind: Rule A Rule is a set of matched people configured with values (i.e. match), which determines whether a particular request matches a particular condition. If the rule is validated, the Route becomes active, invokes the middleware, and then forwards the request to the service.

• match: Host(`example.e-whisper.com`): Here is to check if the request domain name (host header value) is named after one of the given domains (ieexample.e-whisper.com) for the goal.

• middlewares: Middleware that connects to Route is a way to tune a request before it is sent to your service (or before the service’s answer is sent to the client). There are several middleware available in Trafik, some can modify requests, headers, some are responsible for redirection, some add authentication, and so on. Middleware using the same protocol can be combined into chains to suit each scenario. The following figure shows the role of middleware:

  

• name: hsts-header HSTS-enabled middleware (can be reused)

• name: redirectshttps Middleware with HTTP redirect to HTTPS enabled (can be reused)

• services... Forward to K8S default NameSpace example Port 8080 of the service.

The configuration takes effect

Suppose the above configurations are placed in ./traefik-sec directory, run the following command to take effect:

kubectl apply -f ./traefik-sec

verify

Browser access

Direct browser access http://example.e-whisper.com Domain name, jump to http://example.e-whisper.com, and the certificate is valid.

☝ HTTP redirection to HTTPS is in effect

Verified by SSL Labs

at SSL Server Test for SSL Labs , Validate. The verification results are as follows:

☝ The score is A and HSTS is enabled

☝ The certificate is *.e-whisper.com Legitimate certificate

☝ The TLS protocol only supports TLS 1.3

🎉🎉🎉

Resources

• Use cert-manager to issue a free certificate for dnspod’s domain name Written by Roc
• Traefik official documentation
• Traefik 2.3.x uses Daquan (Update) | Written by Yang Ming
• Mozilla SSL Configuration Generator