traefik backend tls

running TLS to the backend with traefik


traefik backend tls

running TLS to the backend with traefik

TLS to the backend

Situation: you have traefik as your reverse proxy / API gateway, traefik terminates TLS for client connections, but you also want TLS for the traefik-backend part.

tldr: possible securely with static backends, insecurely with dynamic (eg k8s)


When setting the scheme to https for backend services, traefik uses TLS for connecting directly to the IP address without ServerName in the ClientHello. This causes issues since your certificate now needs to be signed for the IP address (ephemeral on kubernetes) instead of a stable domain name (any of $service, $service.$namespace, $service.$namespace.svc, $service.$namespace.svc.cluster.local would have been fine).

This appears unlikely to be fully fixed soon, partial fix in v2.4.


Using internal Certificate Authority, generate CA cert+key (ex using mkcert). Inject CA cert into traefik container and run traefik with static config:

2  rootCAs:
3    - /etc/internal-ca/ca.crt

Generate backend cert+key signed by CA key for the IP address and run server with it. Ex with Cert Manager:

 2kind: Certificate
 4  name: http-server-internal
 6  secretName: http-server-internal
 7  duration: 2160h
 8  renewBefore: 360h
 9  ipAddresses:
10    # testing only
11    # guessing whick IP the pod will have
12    - ""
13    - ""
14    - ""
15    - ""
16    - ""
17    - ""
18    - ""
19  issuerRef:
20    name: internal-ca
21    kind: ClusterIssuer

Setup and IngressRoute to point traefik to the service

 2kind: IngressRoute
 4  name: http-server
 6  entryPoints:
 7    - https
 8  routes:
 9    - kind: Rule
10      match: Host(``)
11      services:
12        - kind: Service
13          name: http-server
14          port: 443
15          scheme: https
16  tls: {}