205hlab-mirrors/traefik
2
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2026-06-17 19:09:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Remove hidden files in documentation

Browse Source
This commit is contained in:
Michel Loiseleur
2026-03-25 16:40:07 +01:00
committed by GitHub
parent 3c74d627d5
commit f5eb6c9de5
129 changed files with 231 additions and 38553 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/content/https/acme.md
-1214
View File
File diff suppressed because it is too large Load Diff
docs/content/https/ocsp.md
-71
View File
@@ -1,71 +0,0 @@
---
title: "Traefik OCSP Documentation"
description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
---
# OCSP
Check certificate status and perform OCSP stapling.
{: .subtitle }
## Overview
### OCSP Stapling
When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
including the default certificate, and staples the OCSP response to the TLS handshake.
The OCSP check is performed when the certificate is loaded,
and once every hour until it is successful at the halfway point before the update date.
### Caching
Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
When a certificate is no longer provided,
the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
The OCSP response is cached in memory and is not persisted between Traefik restarts.
## Configuration
### General
Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
It can be defined by using a file (YAML or TOML) or CLI arguments:
```yaml tab="File (YAML)"
## Static configuration
ocsp: {}
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
```
```bash tab="CLI"
## Static configuration
--ocsp=true
```
### Responder Overrides
The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
This is useful when you want to use a different OCSP responder.
```yaml tab="File (YAML)"
## Static configuration
ocsp:
responderOverrides:
foo: bar
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
[ocsp.responderOverrides]
foo = "bar"
```
```bash tab="CLI"
## Static configuration
-ocsp.responderoverrides.foo=bar
```
docs/content/https/overview.md
-23
View File
@@ -1,23 +0,0 @@
---
title: "Traefik Proxy HTTPS & TLS Overview |Traefik Docs"
description: "Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection. Read the documentation to learn more."
---
# HTTPS & TLS
Overview
{: .subtitle }
Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration:
routers, and the TLS connection (and its underlying certificates).
When a router has to handle HTTPS traffic,
it should be specified with a `tls` field of the router definition.
See the TLS section of the [routers documentation](../routing/routers/index.md#tls).
The next sections of this documentation explain how to configure the TLS connection itself.
That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/https/spiffe.md
-56
View File
@@ -1,56 +0,0 @@
---
title: "Traefik SPIFFE Documentation"
description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
---
# SPIFFE
Secure the backend connection with SPIFFE.
{: .subtitle }
[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone),
provides a secure identity in the form of a specially crafted X.509 certificate,
to every workload in an environment.
Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
## Configuration
### General
Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
It can be defined by using a file (YAML or TOML) or CLI arguments.
### Workload API
The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
!!! info "Enabling SPIFFE in ServersTransports"
Enabling SPIFFE does not imply that backend connections are going to use it automatically.
Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
that is meant to be secured with SPIFFE,
must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
!!! warning "SPIFFE can cause Traefik to stall"
When using SPIFFE,
Traefik will wait for the first SVID to be delivered before starting.
If Traefik is hanging when waiting on SPIFFE SVID delivery,
please double check that it is correctly registered as workload in your SPIFFE infrastructure.
```yaml tab="File (YAML)"
## Static configuration
spiffe:
workloadAPIAddr: localhost
```
```toml tab="File (TOML)"
## Static configuration
[spiffe]
workloadAPIAddr: localhost
```
```bash tab="CLI"
## Static configuration
--spiffe.workloadAPIAddr=localhost
```
docs/content/https/tailscale.md
-207
View File
@@ -1,207 +0,0 @@
---
title: "Traefik Tailscale Documentation"
description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
---
# Tailscale
Provision TLS certificates for your internal Tailscale services.
{: .subtitle }
To protect a service with TLS, a certificate from a public Certificate Authority is needed.
In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
## Certificate resolvers
To obtain a TLS certificate from the Tailscale daemon,
a Tailscale certificate resolver needs to be configured as below.
!!! info "Referencing a certificate resolver"
Defining a certificate resolver does not imply that routers are going to use it automatically.
Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
tailscale: {}
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.tailscale]
```
```bash tab="CLI"
--certificatesresolvers.myresolver.tailscale=true
```
## Domain Definition
A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
in the [router's rule](../routing/routers/index.md#rule).
!!! info "Tailscale Domain Format"
The domain is only taken into account if it is a Tailscale-specific one,
i.e. of the form `machine-name.domains-alias.ts.net`.
## Configuration Example
!!! example "Enabling Tailscale certificate resolution"
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
myresolver:
tailscale: {}
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.tailscale]
```
```bash tab="CLI"
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
# ...
--certificatesresolvers.myresolver.tailscale=true
```
!!! example "Domain from Router's Rule Example"
```yaml tab="Docker & Swarm"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- traefik.http.routers.blog.tls.certresolver=myresolver
```
```yaml tab="Docker (Swarm)"
## Dynamic configuration
deploy:
labels:
- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- traefik.http.routers.blog.tls.certresolver=myresolver
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
kind: Rule
services:
- name: blog
port: 8080
tls:
certResolver: myresolver
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
routers:
blog:
rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
tls:
certResolver: myresolver
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
[http.routers.blog.tls]
certResolver = "myresolver"
```
!!! example "Domain from Router's tls.domain Example"
```yaml tab="Docker & Swarm"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Path(`/metrics`)
- traefik.http.routers.blog.tls.certresolver=myresolver
- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
```
```yaml tab="Docker (Swarm)"
## Dynamic configuration
deploy:
labels:
- traefik.http.routers.blog.rule=Path(`/metrics`)
- traefik.http.routers.blog.tls.certresolver=myresolver
- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: Path(`/metrics`)
kind: Rule
services:
- name: blog
port: 8080
tls:
certResolver: myresolver
domains:
- main: monitoring.yak-bebop.ts.net
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
routers:
blog:
rule: "Path(`/metrics`)"
tls:
certResolver: myresolver
domains:
- main: "monitoring.yak-bebop.ts.net"
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Path(`/metrics`)"
[http.routers.blog.tls]
certResolver = "myresolver"
[[http.routers.blog.tls.domains]]
main = "monitoring.yak-bebop.ts.net"
```
## Automatic Renewals
Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
docs/content/https/tls.md
-590
View File
@@ -1,590 +0,0 @@
---
title: "Traefik TLS Documentation"
description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
---
# TLS
Transport Layer Security
{: .subtitle }
## Certificates Definition
### Automated
See the [Let's Encrypt](./acme.md) page.
### User defined
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "Restriction"
In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
It is the only available method to configure the certificates (as well as the options and the stores).
However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
## Certificates Stores
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
stores:
default: {}
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
```
!!! important "Restriction"
Any store definition other than the default one (named `default`) will be ignored,
and there is therefore only one globally available TLS store.
In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
stores:
- default
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
stores = ["default"]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "Restriction"
The `stores` list will actually be ignored and automatically set to `["default"]`.
### Default Certificate
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
This default certificate should be defined in a TLS store:
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: default-certificate
---
apiVersion: v1
kind: Secret
metadata:
name: default-certificate
namespace: default
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
If no `defaultCertificate` is provided, Traefik will use the generated one.
### ACME Default Certificate
You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
The configuration to resolve the default certificate should be defined in a TLS store:
!!! important "Precedence with the `defaultGeneratedCert` option"
The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
stores:
default:
defaultGeneratedCert:
resolver: myresolver
domain:
main: example.org
sans:
- foo.example.org
- bar.example.org
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default.defaultGeneratedCert]
resolver = "myresolver"
[tls.stores.default.defaultGeneratedCert.domain]
main = "example.org"
sans = ["foo.example.org", "bar.example.org"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultGeneratedCert:
resolver: myresolver
domain:
main: example.org
sans:
- foo.example.org
- bar.example.org
```
```yaml tab="Docker & Swarm"
## Dynamic configuration
labels:
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
```
## TLS Options
The TLS options allow one to configure some parameters of the TLS connection.
!!! important "'default' TLS Option"
The `default` option is special.
When no tls options are specified in a tls router, the `default` option is used.
When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.
Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
you must specify the provider namespace, for example:
`traefik.http.routers.myrouter.tls.options=myoptions@file`
!!! important "TLSOption in Kubernetes"
When using the [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
if not explicitly overwritten, should apply to all ingresses.
To achieve that, you'll have to create a TLSOption resource with the name `default`.
There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.
To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
you'll have to add an annotation to the Ingress in the following form:
`traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
### Minimum TLS Version
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
minVersion: VersionTLS12
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: mintls13
namespace: default
spec:
minVersion: VersionTLS13
```
### Maximum TLS Version
We discourage the use of this setting to disable TLS1.3.
The recommended approach is to update the clients to support TLS1.3.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
maxVersion: VersionTLS13
maxtls12:
maxVersion: VersionTLS12
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
maxVersion = "VersionTLS13"
[tls.options.maxtls12]
maxVersion = "VersionTLS12"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
maxVersion: VersionTLS13
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: maxtls12
namespace: default
spec:
maxVersion: VersionTLS12
```
### Cipher Suites
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
```
!!! important "TLS 1.3"
Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)
With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
<https://golang.org/doc/go1.12#tls_1_3>
### Curve Preferences
This option allows to set the enabled elliptic curves for key exchange.
The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
curvePreferences:
- CurveP521
- CurveP384
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
curvePreferences = ["CurveP521", "CurveP384"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
curvePreferences:
- CurveP521
- CurveP384
```
### Strict SNI Checking
With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension
or don't match any of the configured certificates.
The default certificate is irrelevant on that matter.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
sniStrict: true
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
sniStrict = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
sniStrict: true
```
### ALPN Protocols
_Optional, Default="h2, http/1.1, acme-tls/1"_
This option allows to specify the list of supported application level protocols for the TLS handshake,
in order of preference.
If the client supports ALPN, the selected protocol will be one from this list,
and the connection will fail if there is no mutually supported protocol.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
alpnProtocols:
- http/1.1
- h2
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
alpnProtocols = ["http/1.1", "h2"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
alpnProtocols:
- http/1.1
- h2
```
### Client Authentication (mTLS)
Traefik supports mutual authentication, through the `clientAuth` section.
For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) for more details.
The `clientAuth.clientAuthType` option governs the behaviour as follows:
- `NoClientCert`: disregards any client certificate.
- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
- tests/clientca1.crt
- tests/clientca2.crt
clientAuthType: RequireAndVerifyClientCert
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
clientAuth:
# the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert
```
### Disable Session Tickets
_Optional, Default="false"_
When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
disableSessionTickets: true
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
disableSessionTickets = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
disableSessionTickets: true
```
{% include-markdown "includes/traefik-for-business-applications.md" %}