Conditional ACME on demand generation #505
Labels
Comments
|
If you don't have front-end matching, traefik already doesn't generate any certificate. |
|
That's not the behavior I was seeing. What's the connection behavior expected in that case? Connection drop? |
|
Another issue I've been thinking about but haven't been able to test yet is when the frontend matches, but the backend doesn't. If you have something like {job}.cloud.mydomain.tld that is using Kubernetes, but there is no {job}. This is actually the problem I'm trying to solve. I'm not 100% I understand how the traefik learns backends from the various sources, so if it's totally insane let me know. |
|
Ouch, due to an update on gorilla/mux gorilla/mux@c329c7d |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
I'm trying to use traefik in a setting where I have a wildcard domain. This is the current behavior:
Client requests https://www.mydomain - www is generated via ACME and www is routed to the correct backend
Client requests https://dummy.mydomain - dummy is generated via ACME and then 404 is sent back as there is no frontend matching this.
What I would like to avoid is that a certificate is generated in step 2. The current behavior makes a DoS attack quite easy as one can just send a handful of Host commands to drain the ACME quota.
I suggest a configuration option that will simply either just close the connection, or maybe present a default certificate in this case.
The text was updated successfully, but these errors were encountered: