Skip to main content

TLS Options

The TLS options allow you to configure some parameters of the TLS connection in Traefik Hub API Gateway.

Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.

Configuration Example

apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
# Override the default TLS Option
name: default
namespace: traefik
spec:
minVersion: VersionTLS13
curvePreferences:
- CurveP521
- CurveP384
clientAuth:
# the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert

Configuration Options

FieldDescriptionDefaultRequired
nameName of the TLSOption resource. Using default redefines the default TLSOption.True
minVersionMinimum TLS version that is acceptable."VersionTLS12"False
maxVersionMaximum TLS version that is acceptable.
We do not recommend setting this option to disable TLS 1.3.
False
cipherSuitesList of supported cipher suites for TLS versions up to TLS 1.2.
[Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.](https://tools.ietf.org/html/rfc8446
With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
False
curvePreferencesList of the elliptic curves references that will be used in an ECDHE handshake, in preference order.
Use curves names from crypto or the RFC.
See CurveID for more information.
False
clientAuth.secretNamesClient Authentication (mTLS) option.
List of names of the referenced Kubernetes Secrets (in TLSOption namespace).
The secret must contain a certificate under either a tls.ca or a ca.crt key.
False
clientAuth.clientAuthTypeClient Authentication (mTLS) option.
Client authentication type to apply. Available values here.
False
sniStrictAllow rejecting connections from clients connections that do not specify a server_name extension.
The default certificate is never served is the option is enabled.
falseFalse
alpnProtocolsList of supported application level protocols for the TLS handshake, in order of preference.
If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol.
"h2, http/1.1, acme-tls/1"False

clientAuth.clientAuthType

The clientAuth.clientAuthType option governs the behaviour as follows:

  • NoClientCert: disregards any client certificate.
  • RequestClientCert: asks for a certificate but proceeds anyway if none is provided.
  • RequireAnyClientCert: requires a certificate but does not verify if it is signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames.
  • VerifyClientCertIfGiven: if a certificate is provided, verifies if it is signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames. Otherwise proceeds without any certificate.
  • RequireAndVerifyClientCert: requires a certificate, which must be signed by a CA listed in clientAuth.caFiles or in clientAuth.secretNames.

Default TLS Option

The default option is special.

When no TLS options are specified in an Ingress or IngressRoute, the default option is used. The default behavior is summed up in the table below:

ConfigurationBehavior
No default TLS OptionDefault internal set of TLS Options by default
One default TLS OptionCustom TLS Options applied by default
Many default TLS OptionError log + Default internal set of TLS Options by default