Secure access with TLS Certificates
Configuring TLS Certificates
When configuring TLS in Traefik Hub API Gateway, you need to focus on two main components:
- The routers that handle TLS traffic,
- The TLS certificates that are served.
Routers in Hub API Gateway are responsible for directing incoming requests to the appropriate services. To enable TLS on a router, you specify the TLS configuration within the router’s definition. This setup tells Hub API Gateway that the router should handle requests using the TLS protocol, thus ensuring that the data is encrypted.
Providing TLS certificates is essential for establishing secure connections. Hub API Gateway supports several methods for managing these certificates:
- User-defined certificates - Provided as files or Kubernetes Secrets in the Hub API Gateway dynamic configuration.
- Automated certificates - Hub API Gateway supports the Automated Certificate Management Environment (ACME). ACME allows Hub API Gateway to automatically obtain and renew TLS certificates from Certificate Authorities like Let's Encrypt. This automation simplifies certificate management and ensures that certificates are always up-to-date.
Managing TLS Certificates
Traefik Hub API Gateway stores TLS certificates together.
For each incoming connection, Traefik Hub API Gateway is serving the best matching TLS certificate for the provided Server Name Indication (SNI).
The TLS certificate selection process narrows down the list of TLS certificates matching the server name, and then selects the last TLS certificate in this list after having ordered it by the identifier alphabetically.
While Hub API Gateway is serving the best matching TLS certificate for each incoming connection, the selection process cost for each incoming connection is avoided thanks to a cache mechanism. Once a TLS certificate has been selected as the best TLS certificate for a server name, it is cached for an hour, avoiding the selection process for further connections. Nonetheless, when a new configuration is applied, the cache is reset.
If no TLS certificate can be served, Traefik Hub API Gateway serves a self-signed certificate by default.
Related Content
- See how to secure your API providing TLS certificates to Hub API Gateway.
- See how to secure your API using TLS certificates automatically generated using Let's Encrypt.
- See how to secure your API using mTLS connections.