Traefik-based aggressive TLS security configuration practices
This article was last updated on: July 24, 2024 am
preface
Traefikis a modern HTTP reverse proxy and load balancer that makes it easy to deploy microservices.
Traefik can be integrated with multiple existing infrastructure components (Docker, Swarm pattern, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS…). Integrate and configure yourself automatically and dynamically.
Today we are using Traefik on K8S to detail how to “aggressively” configure TLS security.
Basic information about the environment
- K8S cluster;
- Domain name:
e-whisper.com
(DNSPod managed by DNSPod, pointed to the public address of the LoadBalancer of Traefik Ingress of the K8S cluster) - Certificates that are managed automatically using cert-manager
*.e-whisper.com
as Traefik’s default certificate; cert-manager is located atcert-manager
NameSpace - Traefik 2.4.8 is installed on a K8S cluster
kube-system
NameSpace and configured with CRDs.
“Aggressive” TLS configuration
Site-wide trusted certificate + HTTPS. The details are as follows:
- Site-wide HTTPS 443 port configuration;
- Certificate from Let’s Encrypt (automatically applied by cert-manager) (⚡ radical, production with caution!). )
- Listen for HTTP requests and redirect to HTTPS; (⚡ Radical, use sparing!) )
- Enable HSTS functionality (⚡ aggressive, use sparing!) )
- TLS version limited to TLS 1.3 (⚡ aggressive, production with caution!). )
Configuration practices
The TLS version is limited to TLS 1.3
CRD with Traefik - TLSOption The configuration is as follows:
1 |
|
💡 illustrate:
minVersion: VersionTLS13
Specify a minimum version of TLS as TLS 1.3.
⚠️ Warning:
Just in case, recommended
namespace: kube-system
Be consistent with the ns where Traefik is located.
certificate
CRD with Traefik - TLSStore The configuration is as follows:
1 |
|
💡 illustrate:
secretName: ewhisper-crt-secret
This is where cert-manager automatically requests certificates from Let’s Encrypt (cert-manager is responsible for automatically updating the certificate on a regular basis). Traefik uses this certificate as the default.
⚠️ Warning:
TLSStore, attention
namespace: cert-manager
You must be in the NameSpace where the certificate’s secret is located.
Next 2 features:
- HTTP redirects to HTTPS
- Enable HSTS
All via Traefik CRD - Middleware to configure.
HTTP redirects to HTTPS
Traefik CRD Middleware - redirectshttps
The configuration is as follows:
1 |
|
💡 illustrate:
redirectScheme
: Protocol redirectionscheme: https
: The HTTP protocol is redirected to HTTPSpermanent: true
: Set to true to apply a permanent redirect.
Enable HSTS
Traefik CRD Middleware - hsts-header
The configuration is as follows:
1 |
|
customResponseHeaders
The name and value applied to the response header.Strict-Transport-Security: 'max-age=63072000'
: That is, the “HTTP strict transmission security” response header, the browser that receives the response header will visit the website within 63072000s (about 2 years), even if it is http, the browser will automatically jump to https. (HSTS is a browser-side redirect, and the previous “HTTP redirect to HTTPS” is a server-side redirect)
Specific domain name configuration
All of the above configurations, including:
- The TLS version is limited to TLS 1.3
- certificate
- HTTP redirects to HTTPS
- Enable HSTS
It’s all a global configuration, and then it’s domain-specific - here example.e-whisper.com
to configure.
CRD with Traefik - IngressRoute The configuration is as follows:
1 |
|
💡 illustrate:
-
entryPoints
: EntryPoints is the network entry point into Traefik. They define the port on which packets will be received and whether TCP or UDP is listening. As shown in the following figure:
Here entryPoints is a static configuration, which is directly statically configured in Traefik Deployment, as shown below:
entryPoint
-traefik
The address ports are::9000/tcp
entryPoint
-web
The address ports are::8000/tcp
entryPoint
-websecure
The address ports are::8443/tcp
, and TLS is true- Then, via Serivce Type:
LoadBalancer
Exposed to the public network: ports 80 and 443 (as forentryPoint
-traefik
It has not been exposed through SVC, so it cannot be accessed even if IngressRoute is equipped), as follows:
-
websecure
Namely:example.e-whisper.com
Can passhttps://example.e-whisper.com:443
Visit; -
web
Namely:example.e-whisper.com
Can passhttp://example.e-whisper.com:80
Visit; -
kind: Rule
A Rule is a set of matched people configured with values (i.e.match
), which determines whether a particular request matches a particular condition. If the rule is validated, the Route becomes active, invokes the middleware, and then forwards the request to the service. -
match: Host(`example.e-whisper.com`)
: Here is to check if the request domain name (host header value) is named after one of the given domains (ieexample.e-whisper.com
) for the goal. -
middlewares
: Middleware that connects to Route is a way to tune a request before it is sent to your service (or before the service’s answer is sent to the client). There are several middleware available in Trafik, some can modify requests, headers, some are responsible for redirection, some add authentication, and so on. Middleware using the same protocol can be combined into chains to suit each scenario. The following figure shows the role of middleware: -
name: hsts-header
HSTS-enabled middleware (can be reused) -
name: redirectshttps
Middleware with HTTP redirect to HTTPS enabled (can be reused) -
services...
Forward to K8Sdefault
NameSpaceexample
Port 8080 of the service.
The configuration takes effect
Suppose the above configurations are placed in ./traefik-sec
directory, run the following command to take effect:
1 |
|
verify
Browser access
Direct browser access http://example.e-whisper.com
Domain name, jump to http://example.e-whisper.com
, and the certificate is valid.
☝ HTTP redirection to HTTPS is in effect
Verified by SSL Labs
at SSL Server Test for SSL Labs , Validate. The verification results are as follows:
☝ The score is A and HSTS is enabled
☝ The certificate is *.e-whisper.com
Legitimate certificate
☝ The TLS protocol only supports TLS 1.3
🎉🎉🎉