Support different TLS options for different ClientIP in the same Host about traefik HOT 3 OPEN

Hey,

I was about to open another issue relating to #9426, however with a slightly different use case. I wil skip opening, to avoid to many issues on actually the main subject.

What did you expect to see?

We are running some applications behind Traefik for general public use. However these apps come often with an admin interface under e.g. /admin which we like to authenticate against using ClientCerts (no restrictions on the ClientIP though). For nginx and apache you can define directories with (e.g. Location tag) special options to use BasicAuth or even ClientCertAuth to access these defined paths.
Traefik also allows to use a middleware to add BasicAuth to certain Paths. However if you want to use ClientCertAuth, Traefik follows a very different approach by using the tls.options instead of the middleware. IMHO this is not consistent.

Suggestion

I would like to suggest to change the implementation if possible to a similar, more unified approach using a middleware to handle the authentication using ClientCerts. I think this way my use case, and the use case of @prokher, @ianhattendorf and others from #9426 would be solved as well, because using the middleware you have more flexibility and new HostRule can easily be added with a new router using another middleware without any interference with others

from traefik.

Hey @prokher,

Thanks for reopening the issue.

We are interested in this issue but are unsure about the use case and the traction it will receive, so we are going to leave the status as "kind/proposal" to give the community time to let us know that they would like this.
We will reevaluate as people respond.

from traefik.

@f0sh, I love your suggestion of making TLS configuration implemented as middleware. Indeed, it looks more consistent than the tls.options-base approach. Honestly, I expected to have TLS configuration somewhere in the TCP middlewares list, and it took a while to realize that it is implemented differently.

Anyway, I believe, it is up to maintainers to decide how exactly this should be addressed. I can only vote for @f0sh's scenario as well. Protecting selected paths (e.g., /admin) with client certificates is also the case for us.

@jspdown, thank you. I hope this request will find its way to release eventually. Speaking of a workaround, I still haven't found one. It looks like I can spawn two Traefik instances: the first will manage the IP addresses of the internal network (ClientIP), and redirects to the second when a request comes from the internet. The second one will require a client certificate. It seems like a viable workaround, but the appearance of an extra hop does not allow us to call this workaround an elegant one.

😬

from traefik.