ALPN Passthrough (2 tiered Traefik)

mancubus77 · August 15, 2024, 11:40am

I want to use Traefik-v2 as TCP Proxy pointing to another Traefik-v2 configured HTTP mode with LetsEncrypt, but it's too smart and block ALPN.
Setup:

All looks good, but when ACME sends H1 response, TCP Proxy blocks it with

time="2024-08-15T06:39:40Z" level=debug msg="TLS: no certificate for TLSALPN challenge: <FQDN>"
time="2024-08-15T06:39:46Z" level=debug msg="TLS: no certificate for TLSALPN challenge: <FQDN>"

Can anyone please advise, if it's possible to pass ALPN challenges in the TCP mode?

mancubus77 · August 15, 2024, 11:41am

There reason why I'm using this setup - there is complicated chain of tunnels between server A and B, so I want to land all traffic to server01 and route it further.

mancubus77 · August 15, 2024, 11:46am

Looks like it's should be resolved after this will be merged

github.com/traefik/traefik

Allow ACME TLS challenge passthrough when no TLS resolvers

traefik:v2.11 ← rtribotte:tls-challenge-passthrough

opened 02:42PM - 06 Aug 24 UTC

rtribotte

+75 -21

### What does this PR do? This PR makes Traefik to preempt TLS-01 ALPN connections only when TLS resolvers are configured. This allows user not relying on Traefik for TLS challenges to handle them with backends. ### Motivation Fixes #10684 ### More - [x] Added/updated tests - [ ] Added/updated documentation ### Additional Notes

Topic		Replies	Views
Acme , dns challange behind a proxy Traefik v1 letsencrypt-acme	0	441	November 24, 2019
RequireAndVerifyClientCert and ACME TLS-ALPN-01 Traefik v2 letsencrypt-acme	3	387	September 18, 2022
Run traefik behind traefik reverse proxy Traefik v2 docker , letsencrypt-acme , tcp	4	8501	October 17, 2023
Traefik intercepts TLS challenge in nested architecture (with TLS passthrough) Traefik v3 (latest) letsencrypt-acme	5	345	July 11, 2024
Traefik with FTPS Traefik v2 file , letsencrypt-acme , tcp	12	374	September 6, 2024

ALPN Passthrough (2 tiered Traefik)

Related topics