How can you configure Traefik Strict SNI so Traefik drops requests that aren't matched?

[ttilberg]

I've transitioned a handful of apps to Kamal for deployment, and configured LE using moves from the popular thread. Our automated security scanners are now failing us for using self-signed certificates when connecting directly to the servers without SNI. Traefik responds with 404 using a default self-signed certificate if a router doesn't match.

As an example, given a site example.com hosted at 1.2.3.4:

▶ curl -v -k https://1.2.3.4
*   Trying 1.2.3.4:443...
* Connected to 1.2.3.4 (1.2.3.4) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Jan 12 22:13:49 2024 GMT
*  expire date: Jan 11 22:13:49 2025 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
…
> GET / HTTP/2
> Host: 1.2.3.4
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 404

I've found that there's configuration to enable strict SNI checking: but I haven't been able to successfully translate "Traefik" configuration to "Traefik managed by Kamal" configuration.

Kamal uses docker labels for configuration. In the deploy.yaml file, we can pass args to the docker container.
I've tried a handful of configurations related to both args and labels, but have not successfully gotten the above curl request to respond differently.

It seems there are options that are unable to be passed in this manner, though my interpretation of the following is loose, and these issues are old:

• TLS parameters from more dynamic providers and a default path for a no-config setup traefik/traefik#5507
• TLS options: defined through CLI / env var traefik/traefik#6453

It seems that this specific part of the configuration needs to be provided from some sort of File Provider ?
https://tech.aufomm.com/understand-file-provider-in-traefik-2/

https://doc.traefik.io/traefik/providers/file/

Can you help me drop requests in Traefik that don't match a rule from our given routers without adding an additional layer of load balancing in front of the VM?

[nickhammond]

@ttilberg What version of Kamal are you on? Looks like this was changed from a 404 to a 502 in 24a2f51.

Are you seeing this line in your deploy output for the traefik container? "traefik.http.routers.catchall.service" => "unavailable".

[ttilberg]

I can see that my most recent deploy to this service does include that line. However, I am still receiving a 404 against https:// rather than a 502.

Though, I'm not even sure if that would fix the issue I'm having with the vuln scanner, as it is still giving the decency to reply at all (and therefor reply with a self-signed cert). What an annoying scanner rule to appease.

[nickhammond]

Have you tried duplicating the default entry point details but for https? The default is for HTTP only it looks like.

[ttilberg]

Interesting, that makes sense. I'll try some reconfiguring in the next few days. If nothing else, that link to that commit helps reveal a handful of helpful configuration concepts.

[Sija]

@nickhammond Wouldn't be this good default to include in Kamal?

[clintbullock]

I added an example configuration to discussion 112 with strict SNI checking enabled that will return the error below rather than a 404. It's also my understanding that the option required, sniStrict: true, cannot be set with Docker labels. The provided example has an extra /letsencrypt/tls.yml file that must be deployed to the server. That should be the only option that matters for this requirement in the giant config file that I inlcuded in that discussion.

The new curl error:

curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name

All of the relevant config parts:

config/deploy.yml

traefik:
  options:
    volume:
      - "/letsencrypt/tls.yml:/letsencrypt/tls.yml"
  args:
    providers.file.filename: "/letsencrypt/tls.yml"

/letsencrypt/tls.yml

tls:
  options:
      sniStrict: true

[ttilberg]

Thank you, thank you, thank you!