Comments (3)
Hey,
I was about to open another issue relating to #9426, however with a slightly different use case. I wil skip opening, to avoid to many issues on actually the main subject.
What did you expect to see?
We are running some applications behind Traefik for general public use. However these apps come often with an admin interface under e.g. /admin
which we like to authenticate against using ClientCerts (no restrictions on the ClientIP though). For nginx and apache you can define directories with (e.g. Location
tag) special options to use BasicAuth or even ClientCertAuth to access these defined paths.
Traefik also allows to use a middleware to add BasicAuth to certain Paths. However if you want to use ClientCertAuth, Traefik follows a very different approach by using the tls.options
instead of the middleware. IMHO this is not consistent.
Suggestion
I would like to suggest to change the implementation if possible to a similar, more unified approach using a middleware to handle the authentication using ClientCerts. I think this way my use case, and the use case of @prokher, @ianhattendorf and others from #9426 would be solved as well, because using the middleware you have more flexibility and new HostRule can easily be added with a new router using another middleware without any interference with others
from traefik.
Hey @prokher,
Thanks for reopening the issue.
We are interested in this issue but are unsure about the use case and the traction it will receive, so we are going to leave the status as "kind/proposal" to give the community time to let us know that they would like this.
We will reevaluate as people respond.
from traefik.
@f0sh, I love your suggestion of making TLS configuration implemented as middleware. Indeed, it looks more consistent than the tls.options
-base approach. Honestly, I expected to have TLS configuration somewhere in the TCP middlewares list, and it took a while to realize that it is implemented differently.
Anyway, I believe, it is up to maintainers to decide how exactly this should be addressed. I can only vote for @f0sh's scenario as well. Protecting selected paths (e.g., /admin
) with client certificates is also the case for us.
@jspdown, thank you. I hope this request will find its way to release eventually. Speaking of a workaround, I still haven't found one. It looks like I can spawn two Traefik instances: the first will manage the IP addresses of the internal network (ClientIP
), and redirects to the second when a request comes from the internet. The second one will require a client certificate. It seems like a viable workaround, but the appearance of an extra hop does not allow us to call this workaround an elegant one.
😬
from traefik.
Related Issues (20)
- Create a cross namespace load balancing using IngressRouteTCP, where only the last service can be accessed HOT 4
- Only one node serve proper certificate HOT 3
- traefik_service_requests_total Inaccurate total count
- InfluxDB Metrics provider not working in v3.0 HOT 3
- Error with StripPrefix Middleware : `field not found, node: forceSlash` HOT 2
- Access log has many items with "0" HOT 3
- MySQL client cannot connect to database when using SNI routing with TLS HOT 3
- [v3] Support the traefik.http.*.tls.passthrough label again HOT 1
- providers.docker.defaultrule HOT 4
- Dashboard No longer working HOT 7
- bogus greeting in traefik -> traefik communication HOT 4
- using forwardAuth + authResponseHeaders drops some original client headers HOT 1
- PathPrefix RegEx HOT 3
- ReplacePathRegex - Allow Empty String for `replacement` HOT 3
- Missing Docker Swarm logo HOT 2
- Support ability to set a specific redirect status in RedirectRegex HOT 4
- Traefik does not forward on bridge network when also attached to ipvlan
- Routing syntax in v3.0.0-rc3 is not backwards compatible HOT 1
- httputil.ReverseProxy logs to Go default logger instead of logrus HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.