Practice of radical TLS security configuration based on traifik

Preface

Traefik[1] It's a modern HTTP Reverse agents and load balancers , Make it easy to deploy microservices .

Traefik Can be combined with a variety of existing infrastructure components （Docker、Swarm Pattern 、Kubernetes、Marathon、Consul、Etcd、Rancher、Amazon ECS...） Integrate , And configure yourself automatically and dynamically .

Today we are based on Traefik on K8S To explain in detail how to TLS Safely carry out 「 radical 」 To configure .

Basic environmental information

1.K8S colony ;

2. domain name ：ewhisper.cn（ from DNSPod Conduct DNS management , Pointed to K8S Clustered Traefik Ingress Of LoadBalancer Public address ）

3. Use cert-manager Automatically managed certificates *.ewhisper.cn As Traefik Default certificate for ;cert-manager be located cert-manager NameSpace Next

4.Traefik 2.4.8 Installed in K8S Clustered kube-system NameSpace Next , And the use of CRDs To configure .

「 radical 」 Of TLS To configure

Trusted certificate of the whole station + HTTPS. As follows ：

1. Total station HTTPS 443 port configuration ;

2. The certificate comes from Let's Encrypt（ from cert-manager Automatic application ）（ radical , Be careful in production ！）

3. monitor HTTP request , And focus on HTTPS;（ radical , Be careful in production ！）

4. Enable HSTS function （ radical , Be careful in production ！）

5.TLS The version is limited to TLS 1.3（ radical , Be careful in production ！）

Configuration practice

TLS The version is limited to TLS 1.3

Use Traefik Of CRD - TLSOption[2] The configuration is as follows ：

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: kube-system

spec:
  minVersion: VersionTLS13

explain ：

•minVersion: VersionTLS13 Appoint TLS The minimum version is TLS 1.3.

️ Warning: In case of a one thousand , Suggest namespace: kube-system and Traefik Where ns bring into correspondence with .

certificate

Use Traefik Of CRD - TLSStore[3] The configuration is as follows ：

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: cert-manager

spec:
  defaultCertificate:
    secretName: ewhisper-crt-secret

explain ：

•secretName: ewhisper-crt-secret This is cert-manager Automatically from Let's Encrypt The storage location of the applied certificate （cert-manager Will be responsible for automatically updating the certificate on a regular basis ）.Traefik Use this certificate as the default certificate .

️ Warning: TLSStore, Be careful namespace: cert-manager Must be in Certificate secret Where NameSpace.

Next 2 Features ：

1.HTTP Redirect to HTTPS

2. Enable HSTS

It's all through Traefik CRD - Middleware[4] To configure .

HTTP Redirect to HTTPS

Traefik CRD Middleware - redirectshttps The configuration is as follows ：

# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirectshttps
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: true

explain ：

•redirectScheme: Protocol redirection

•scheme: https: HTTP Protocol redirection is HTTPS

•permanent: true: Set to true To apply permanent redirection .

Enable HSTS

Traefik CRD Middleware - hsts-header The configuration is as follows ：

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: hsts-header
  namespace: kube-system
spec:
  headers:
    customResponseHeaders:
      Strict-Transport-Security: 'max-age=63072000'

•customResponseHeaders The name and value applied to the response header .

•Strict-Transport-Security: 'max-age=63072000': namely 「HTTP Strict transmission security 」 Response head , The browser that receives the response header will 63072000s（ about 2 year ） In time , Just visit the website , Even if you enter http, The browser will automatically jump to https.（HSTS It's a browser side jump , Previous 「HTTP Redirect to HTTPS」 It's a server-side jump ）

Specific domain name configuration

All the above configurations , Include ：

1.TLS The version is limited to TLS 1.3

2. certificate

3.HTTP Redirect to HTTPS

4. Enable HSTS

They are all global configurations , Next, for specific domain names - Here is example.ewhisper.cn To configure .

Use Traefik Of CRD - IngressRoute[5] The configuration is as follows ：

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: example
  namespace: cert-manager
spec:
  entryPoints:
    - websecure
    - web
  routes:
    - match: Host(`example.ewhisper.cn`)
      kind: Rule
      middlewares:
        - name: hsts-header
          namespace: kube-system
        - name: redirectshttps
          namespace: kube-system
      services:
        - name: example
          namespace: default
          port: 8080
  tls: {}

explain ：

•entryPoints: EntryPoints Is to enter Traefik Network entry point . They define the port that will receive the packet , And whether to listen TCP or UDP. As shown in the figure below ：

entryPoints

here entryPoints Static configuration , Is a direct static configuration in Traefik Deployment Medium , Here's the picture ：

Traefik Deployment arg

•entryPoint - traefik The address port is ：:9000/tcp

•entryPoint - web The address port is ：:8000/tcp

•entryPoint - websecure The address port is ：:8443/tcp, And tls by true

• then , Re pass Serivce Type: LoadBalancer Exposed to the public network : 80 and 443 port （ as for entryPoint - traefik Has not passed yet SVC expose , So even with IngressRoute No access ）, as follows ：

Traefik LoadBalancer SVC

•websecure namely ：example.ewhisper.cn Can pass https://example.ewhisper.cn:443 visit ;

•web namely ：example.ewhisper.cn Can pass http://example.ewhisper.cn:80 visit ;

•kind: Rule Rule Is a set of matchers configured with values （ namely match）, It determines whether a particular request matches a particular condition . If the rule is validated ,Route It will become an activity , Call middleware , Then forward the request to the service .

•match: Host(`example.ewhisper.cn`): Here is the check request domain name (host Header value ) Whether to use one of the given domains （ namely example.ewhisper.cn） Target .

•middlewares: Connect to Route The middleware is before the request is sent to your service ( Or before the answer of the service is sent to the client ) A method of adjusting a request . stay trafik There are several middleware available in , Some can modify the request 、 Headlines , Some are responsible for redirecting , Some add Authentication , wait . Middleware using the same protocol can be combined into chains , To fit every scene . The function of middleware is shown in the figure below ：

middlewares•name: hsts-header Enable HSTS Middleware （ You can reuse ）

•name: redirectshttps Enable HTTP Redirect to HTTPS Middleware （ You can reuse ）

•services... Forwarding to K8S default NameSpace Under the example Service Of 8080 port .

•tls: {} Configuration is empty , Will use the default TLSStore The certificate .

Configuration takes effect

Assume that the above configurations are placed in ./traefik-sec Under the table of contents , The execution of the following order shall take effect ：

kubectl apply -f ./traefik-sec

verification

Browser access

Direct browser access http://example.ewhisper.cn domain name , Jump to http://example.ewhisper.cn, And the certificate has come into force .

HTTP Redirect to HTTPS In force

adopt SSL Labs verification

stay SSL Labs Of SSL Server Test[6] Verify under . The verification results are as follows ：

A

The score is A, And HSTS Enabled

Certificate information

The certificate is *.ewhisper.cn Legal certificate

TLS agreement

TLS The agreement only supports TLS 1.3

Reference material

• Use cert-manager by dnspod Issue free certificate for your domain name | author roc[7]

•Traefik Official documents [8]

•Traefik2.3.x Use the whole book ( Updated version ) | author Yangming

•Mozilla SSL Configuration Generator[9]

References

[1] Traefik: https://traefik.io/ [2] TLSOption: https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-tlsoption [3] TLSStore: https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-tlsstore [4] Middleware: https://doc.traefik.io/traefik/middlewares/overview/ [5] IngressRoute: https://doc.traefik.io/traefik/providers/kubernetes-crd/ [6] SSL Labs Of SSL Server Test: https://www.ssllabs.com/ssltest/ [7] Use cert-manager by dnspod Issue free certificate for your domain name | author roc: https://imroc.cc/k8s/trick/cert-manager-webhook-dnspod/ [8] Traefik Official documents : https://doc.traefik.io/traefik/ [9] Mozilla SSL Configuration Generator: https://ssl-config.mozilla.org/