What I expect to see
I have configured an entrypoint to use the minimum TLS version 1.2. I expect to see that traefik will discard any request which is using TLS version lower than 1.2
What did you see instead?
I see that I can connect to the url while using HTTP1.1.
curl -i --tlsv1.1 https://****************/ --http1.1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Content-Length: 1479
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Sep 2020 15:43:02 GMT
Etag: W/"5c7-173c8d0d0f8"
Last-Modified: Fri, 07 Aug 2020 12:06:35 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Output of traefik version
: (What version of Traefik are you using?)
Version: v1.7.26
Codename: maroilles
Go version: go1.14.6
Built: 2020-07-28_03:45:27PM
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml, provider, platform, ...)?
We are running traefik on Kubernetes and the cloud provider is AWS. Here is the deployment file of traefik
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "20"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"traefik","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"traefik"}},"template":{"metadata":{"labels":{"app":"traefik"}},"spec":{"containers":[{"args":["--api","--kubernetes","--entryPoints=Name:http Address::80","--entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key","--defaultentrypoints=http,https"],"image":"docker.cognigy.com:5000/traefik:1.7.24-alpine","name":"traefik","ports":[{"containerPort":80,"name":"http"},{"containerPort":443,"name":"https"}],"resources":{"limits":{"cpu":"2000m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"70Mi"}},"volumeMounts":[{"mountPath":"/var/run/secrets/","name":"traefik"}]}],"imagePullSecrets":[{"name":"cognigy-registry-token-prod"}],"volumes":[{"name":"traefik","secret":{"items":[{"key":"tls.crt","path":"traefik.cert"},{"key":"tls.key","path":"traefik.key"}],"secretName":"cognigy-traefik"}}]}}}}
creationTimestamp: "2020-07-27T07:47:51Z"
generation: 20
name: traefik
namespace: default
resourceVersion: "18706325"
selfLink: /apis/apps/v1/namespaces/default/deployments/traefik
uid: f800da16-ed0f-4181-a749-9e1e48cf17a2
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: traefik
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: traefik
spec:
containers:
- args:
- --api
- --kubernetes
- --entryPoints=Name:http Address::80
- --entryPoints=Name:https Address::443 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key
- --entryPoints=TLS.MinVersion:VersionTLS12
- --entryPoints=TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- --defaultentrypoints=http,https
- --metrics.prometheus=true
- --logLevel=DEBUG
image: traefik:v1.7.26-alpine
imagePullPolicy: IfNotPresent
name: traefik
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
resources:
limits:
cpu: "2"
memory: 200Mi
requests:
cpu: 200m
memory: 70Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/
name: traefik
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: cognigy-registry-token-prod
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: traefik
secret:
defaultMode: 420
items:
- key: tls.crt
path: traefik.cert
- key: tls.key
path: traefik.key
secretName: cognigy-traefik
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2020-09-02T09:54:06Z"
lastUpdateTime: "2020-09-02T09:54:06Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2020-07-27T08:04:22Z"
lastUpdateTime: "2020-09-07T14:07:35Z"
message: ReplicaSet "traefik-7fc6c996" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 20
readyReplicas: 1
replicas: 1
updatedReplicas: 1
Here you can see that I configured TLS.MinVersion
and TLS.CipherSuites
but still I can use lower TLS version with HTTP1.1 protocol.
Debug log
Here is the debug while I am connecting using TLS 1.1 and HTTP1.1
2020-09-08T07:58:45.717003440Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717042622Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://100.96.12.5:8000"
2020-09-08T07:58:45.717053397Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717066067Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.717075621Z time="2020-09-08T07:58:45Z" level=debug msg="Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel."
2020-09-08T07:58:45.802349693Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: Round trip: http://100.96.12.5:8000, code: 200, Length: 1479, duration: 85.16496ms tls:version: 302, tls:resume:false, tls:csuite:c013, tls:server:dev.cognigy.ai"
2020-09-08T07:58:45.802379905Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward/http: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.802392128Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/forward: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"100.96.12.5:8000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
2020-09-08T07:58:45.802402549Z time="2020-09-08T07:58:45Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"dev.cognigy.ai\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"100.96.5.0:35123\",\"RequestURI\":\"/\",\"TLS\":null}"
Did I configured something wrong here?