Enforce mTLS on private-admin Traefik routes

2026-04-13 12:05:43 +10:00
parent 0ddbb7d7ad
commit 24047b0eaa
15 changed files with 200 additions and 0 deletions
@@ -0,0 +1,38 @@
+# Private-admin mTLS for Traefik
+
+`private-admin` routers are configured to require client certificates via the Traefik TLS option `mtls-private-admin@file`.
+
+## Certificate paths
+
+- Trusted client CA bundle expected by Traefik:
+  - `core/traefik/certs/ca/clients-ca.crt`
+- CA private key (keep secret, never commit):
+  - `core/traefik/certs/ca/clients-ca.key`
+- Issued client certs:
+  - `core/traefik/certs/clients/<client-name>/`
+
+## Bootstrap
+
+From repository root:
+
+```bash
+./core/traefik/scripts/init-mtls-ca.sh
+./core/traefik/scripts/issue-mtls-client-cert.sh admin-laptop
+```
+
+The second command exports a PKCS#12 bundle (`.p12`) for browser import and also leaves PEM `.crt`/`.key` artifacts for CLI usage.
+
+## Revocation workflow
+
+Because Traefik is configured with `clientAuth.caFiles`, revoked cert serials are not enforced by default.
+
+- Use `./core/traefik/scripts/revoke-mtls-client-cert.sh <client-name>` to quarantine a client cert bundle.
+- For strict revocation, rotate the CA (`init-mtls-ca.sh` after removing old CA) and re-issue all trusted client certs.
+
+## Deploy
+
+After CA/certs are in place, restart Traefik to ensure updated files are loaded:
+
+```bash
+docker compose -f core/traefik/docker-compose.yml up -d traefik
+```