Traefik 3.0 With SPIFFE, Tailscale, and HTTP/3
We're continuing our in-depth series on Traefik 3.0. If you missed it, be sure to read the previous articles on migrating from Traefik v2, WASM support with Coraza WAF, and Open Telemetry. Today, we'll be exploring state of the art technologies added to Traefik: SPIFFE, Tailscale, HTTP/3.
SPIFFE
Deploying dozens or hundreds of applications in production, in a distributed environment, comes with many challenges. One of them is network security, i.e. how to ensure application A is authorized to request application B? One of the historical solutions is to protect private networks with security controls like firewalls and VPNs. But many companies have adapted their security architectures to revolve around a concept known as Zero Trust networking, based on the paradigm that even private networks are untrusted. This means that applications need to authenticate themselves with other services.
In an effort to address this problem, the community created SPIFFE, the Secure Production Identity Framework For Everyone Project, which defines a framework and set of standards for identifying and securing communications between applications. The runtime counterpart, SPIRE, is a toolchain of APIs for establishing trust between applications.
Thanks to Julien Levesy, Traefik now supports SPIFFE mTLS with its backend servers! Here is a quick overview of the setup. First of all, you need to enable it in the static configuration:
## Static configuration
spiffe:
workloadAPIAddr: localhost
The workloadAPIAddr configuration defines the address of the SPIFFE Workload API.
Now that SPIFFE is enabled globally, you need to configure your routes, at the ServersTransport level, for example, using SPIFFE trust domain (which makes Traefik allow any SpiffeID that comes from the given trust domain):
## Dynamic configuration
http:
serversTransports:
mytransport:
spiffe:
trustDomain: spiffe://trust-domain
Traefik is now able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends 🎉. Yes, it’s as simple as that!
Tailscale
Tailscale is a zero-config VPN for building secure networks. If you are not familiar with this technology yet, I strongly recommend you to have a look, it is probably the simplest and most convenient way to set up servers in a VPN network. If you need to protect websites within a Tailscale network, Traefik can now request TLS certificates from the Tailscale API.
This new feature allows you to access HTTPS-enabled services on your tailnet behind Traefik Proxy without the hassle of managing certificates or exposing an endpoint for TLS challenges from Let’s Encrypt. Instead, Tailscale handles your certificate lifecycle, automatically renewing your Let’s Encrypt certificate, and then hands over to Traefik to handle the TLS secured requests.
Let’s see how to enable this feature. To obtain a TLS certificate from Tailscale, a Tailscale certificate resolver needs to be configured in the dynamic configuration:
certificatesResolvers:
myresolver:
tailscale: {}
Now all you have to do is reference myresolver from any router or entrypoint that is part of your tailnet. Here is an example using Docker labels:
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- traefik.http.routers.blog.tls.certresolver=myresolver
Here is another example in a Kubernetes ingress resource:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
kind: Rule
services:
- name: blog
port: 8080
tls:
certResolver: myresolver
Your apps are now able to access other apps securely within your tailnet, using Tailscale TLS certificates. Pretty straightforward right?
HTTP/3
HTTP is the backbone of the Internet. Since HTTP/2 was approved in 2015, significant progress has been made toward the next milestone: HTTP/3. This new version is a major shift, as it no longer relies on the traditional TCP, but instead uses UDP, leveraging QUIC—a transport protocol developed by Google in 2012. HTTP/3 offers numerous benefits, such as improved performance, faster connection establishment, and simpler encryption. Now, HTTP/3 is out of the experimental stage and fully production-ready in Traefik!
Let’s enable HTTP/3 on an entrypoint:
entryPoints:
foo:
http3: {}
Keep in mind that, as HTTP/3 actually uses UDP, when traefik is configured with a TCP entryPoint on port N with HTTP/3 enabled, the underlying HTTP/3 server that is started automatically listens on UDP port N too. As a consequence, it means port N cannot be used by another UDP entryPoint. Since HTTP/3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP/3.
Wrapping Up
Simplicity and outstanding user experience has always been at the core of Traefik. Those new features packed in v3 follow strictly this principle. How straightforward it is to add Tailscale TLS certificates support, how elementary Traefik can be set up to retrieve SPIFFE x509-SVIDs, and how effortless you can migrate to the latest major revision of the Hypertext Transfer Protocol HTTP/3, all those added capabilities are great examples of the main core value of Traefik: keep it simple, yet state of the art.
The Traefik community has been instrumental in implementing those key features. We can't praise the outstanding work of Traefik contributors enough ❤️
Stay tuned for more deep dives on Traefik 3.0 key features!
To learn more about v3, watch the recording of our recent Traefik v3 Online Meetup.
Useful Links
