Traefik 2.0 TLS TCP passthrough - ssl

I have a VM0 where Traefik is running as a docker and two target system VM1 and VM2 which both have a webserver running.
All domainA.com requests should go to VM1 via TCP router and tls passthrough, because this webservice is handling the certificates itself.
All domainB.com requests should go to VM2 via http router and Traefik should generate the tls certs for this domain.
My problem now is, as soon as I add any tls config to the http router, it seems tcp passthrough doesn't work anymore. In the logs I see this messages:
time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\""
time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55103: remote error: tls: unknown certificate"
time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\""
time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55104: remote error: tls: unknown certificate"
And if I visit the website through Traefik, it shows me a self signed certificate from Traefik.
If I remove then all tls settings under the http router, passthrough is working again.
My Dynamic File:
http:
routers:
HTTProuter0:
rule: "HostRegexp(`{subdomain:[a-z]+}.domainA.com`)"
service: "domainA"
entryPoints:
- "websecure"
tls:
certResolver: "myresolver"
domains:
- main: "domainA.com"
sans:
- "*.domainA.com"
services:
domainA:
loadBalancer:
servers:
- url: "https://192.168.1.13:4433"
tcp:
routers:
TCProuter0:
rule: "HostSNI(`*`)"
service: "domainB"
entryPoints:
- "websecure"
tls:
passthrough: true
services:
domainB:
loadBalancer:
servers:
- address: "192.168.1.11:443"
My static file:
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
spain:
address: ":4443"
certificatesResolvers:
myresolver:
acme:
email: email#email.com
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 60
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
api:
insecure: true
dashboard: true
providers:
docker: {}
file:
directory: /etc/traefik/config
watch: true
log:
filePath: /etc/traefik/traefik.log
level: DEBUG
I'm stuck at this problem now for hours. I am not sure if it is a bug or if I do something wrong?
Any help would be very appreciated!
Thanks a lot

I found the problem. Unbelievable I wasted so much time for this...
It seems Traefik does not support wildcards in combination with domains in HostSNI.
HostSNI(`*`) => Works
HostSNI(`*.mydomain.com`) => DOESN'T WORK !!!!
HostSNI(`www.mydomain.com`,`web.mydomain.com`) => Work
So I added every domain explicit and now it works.

Related

traefik Mtls problems with configuration

I have a problem with mtls in traefik,
I need to enter traefik as a client with mtls but the configuration that I tried is not working for me since it enters the link without any certificate
http:
routers:
crypto-router:
tls:
options: testmtls
rule: "PathPrefix(`/CryptoTest`)"
entryPoints:
- websecure
service: cryptoTest-service
middlewares:
- cryptoTest-stripprefix
tls:
options:
testmtls:
clientAuth:
caFiles:
- /etc/traefik/cryptolocal.crt
clientAuthType: RequireAndVerifyClientCert
I expected that it would give me some error when connecting the request without a certificate but this not happens and I need only requests with client certificates to entry

Kubernetes Ingress - Application login issue when terminating ssl

I'm using Nginx controller for terminating ssl at ingress level. The application pod is plain http according to the documentation. But during login process there is a 301 internal redirect from http to https. As a result login never succeeds.
Login POST request succeeds but after the redirect the session is lost and I'm requested to enter username and password again and again.
Any idea what's causing this redirect? I'm not sure if its the Ingress controller issue or if the issue is due to a application redirect.
spec:
externalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: http # This is so it terminates ssl traffic
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
Screenshot 1:
Screenshot: 2
Screenshot 3:

Kubernetes Dashboard TLS cert issue

I am deploying the standard Kubernetes Dashboard (Jetstack) to the K3s cluster I have deployed on my RPI cluster, I am using lets-encrypt to provision the TLS cert and setting the following options on the dashboard deployment:
spec:
args:
- --tls-cert-file=/tls.crt
- --tls-key-file=/tls.key
volumeMounts:
- mountPath: /certs
name: kubernetes-dashboard-certs
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: cluster.smigula.com-tls
The cert is valid when I visit the URL in my browser, however the pod raises this:
http: TLS handshake error from 10.42.0.8:43704: remote error: tls: bad certificate
It appears that the ingress is terminating the TLS connection when the pod expects to terminate it. What should I do? Thanks.
[edit] I changed the resource kind from Ingress to IngressRouteTCP and set passthrough: true in the tls: section. Still same result.

How to configure ssl for ldap/opendj while using ISTIO service mesh

I have a couple of microservices and our backend is opendj/ldap. It has been configured to use SSL. Now we are trying to use ISTIO as our k8s service mesh. Every other service works fine but the ldap server - opendj - is not. My gues is it's because of the ssl configuration. It's meant to use self-signed cert.
I have a script that creates a self-signed cert in istio namespace and I have tried to use it like this on the gateway.yaml
- port:
number: 4444
name: tcp-admin
protocol: TCP
hosts:
- "*"
tls:
mode: SIMPLE # enable https on this port
credentialName: tls-certificate # fetch cert from k8s secret
I also have tried to use
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: opendj-istio-mtls
spec:
host: opendj.{{.Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
credentialName: tls-certificate
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: opendj-receive-tls
spec:
targets:
- name: opendj
peers:
- mtls: {}
For the ldap server but it's not connecting. While trying to use the tls spec in gateway.yaml I am getting this error
Error: admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: server cannot have TLS settings for non HTTPS/TLS ports
And the logs from opendj server
INFO - entrypoint - 2020-06-17 12:49:44,768 - Configuring OpenDJ.
WARNING - entrypoint - 2020-06-17 12:49:48,987 -
Unable to connect to the server at
"oj-opendj-0.opendj.default.svc.cluster.local" on port 4444
WARNING - entrypoint - 2020-06-17 12:49:53,293 -
Unable to connect to the server at
"oj-opendj-0.opendj.default.svc.cluster.local" on port 4444
Can someone please help me out how I should approach this.
To Enable non-https traffic over TLS connections you have to use Protocol TLS. TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection. You can check this.
- port:
number: 4444
name: tls
protocol: TLS
hosts:
- "*"
tls:
mode: SIMPLE # enable https on this port
credentialName: tls-certificate # fetch cert from k8s secret
Please check this istio documentation also.

How to tell Traefik 2.1 to use a user-defined wildcard certificate for a router?

I'm trying to get Traefik to use a manually configured wildcard certificate for all routers that have a matching Host rule. I assumed Traefik would try to find a certificate based on the domains used in the Host rule, but it always uses the default generated certificate instead.
traefik.yml
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
providers:
file:
directory: /etc/traefik/conf
watch: true
dynamic conf:
http:
routers:
test:
rule: "Host(`subdomain.wildcard.domain.tld`)"
entryPoints: ["web"]
service: service-test
middlewares: ["https_redirect"]
test-secure:
rule: "Host(`subdomain.wildcard.domain.tld`)"
entryPoints: ["web-secure"]
service: service-test
tls: {}
services:
service-test:
loadBalancer:
servers:
- url: "http://helloworld"
middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true
Traefik is running inside a Docker container, based on the log it can see and use the mounted certificate files:
time="2020-03-04T10:44:13Z" level=debug msg="No store is defined to add the certificate <...>, it will be added to the default store."
time="2020-03-04T10:44:13Z" level=debug msg="Adding certificate for domain(s) wildcard.domain.tld,*.wildcard.domain.tld"
time="2020-03-04T10:44:13Z" level=debug msg="No default certificate, generating one"
However, when doing a curl request, the default certificate is used:
curl -k -v --header "Host: subdomain.wildcard.domain.tld" https://192.168.173.143/
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Mar 4 10:44:13 2020 GMT
* expire date: Mar 4 10:44:13 2021 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
When specifyng the certificate as the default certificate, Traefik does use it, making it more obvious that something is wrong when it tries to match the routers to fitting certificates.
tls:
certificates:
- certFile: /ssl/wildcard.crt
keyFile: /ssl/wildcard.key
stores:
default:
defaultCertificate:
certFile: /ssl/wildcard.crt
keyFile: /ssl/wildcard.key