Can't get HTTPS working with Azure Front Door, AKS and Traefik

Traefik Traefik v2
,
1

Sorry for the double post (https://stackoverflow.com/questions/72783893/cant-get-https-working-with-azure-front-door-aks-and-traefik) but I'm trying to find someone who can help me with an issue I'm facing.

I'm trying to setup Azure Front Door Premium in front of an AKS cluster with Traefik 2.5.3 as an ingress controller.

This is the relevant configuration in AFD: enter image description here

I've got the following IngressRoutes and Certificate setup in AKS:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-domain-web
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`my-domain.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-domain
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`my-domain.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80
  tls:
    secretName: my-domain-com-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-domain-com-cert
spec:
  commonName: my-domain.com
  secretName: my-domain-com-cert
  dnsNames:
    - my-domain.com
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer

Requesting over HTTP works:

> curl http://my-domain.com
Hostname: whoami-84d974bbd6-ff77m
IP: 127.0.0.1
IP: ::1
IP: 10.9.0.56
IP: fe80::4467:5bff:fee0:731b
RemoteAddr: 10.9.1.106:58076
GET / HTTP/1.1
Host: my-domain.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
Via: 1.1 Azure
X-Azure-Clientip: <redacted>
X-Azure-Fdid: <redacted>
X-Azure-Ref: <redacted>
X-Azure-Requestchain: hops=1
X-Azure-Socketip: <redacted>
X-Forwarded-For: 10.9.0.4
X-Forwarded-Host: my-domain.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-6f49dccb4b-kv5c7
X-Real-Ip: 10.9.0.4

But requesting over HTTPS doesn't work:

> curl https://my-domain.com
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta content='text/html; charset=utf-8' http-equiv='content-type'/><style type='text/css'>body {font-family:Arial; margin-left:40px; }img  { border:0 none; }#content { margin-left: auto; margin-right: auto }#message h2 { font-size: 20px; font-weight: normal; color: #000000; margin: 34px 0px 0px 0px }#message p  { font-size: 13px; color: #000000; margin: 7px 0px 0px0px}#errorref { font-size: 11px; color: #737373; margin-top: 41px }</style><title>Service unavailable</title></head><body><div id='content'><div id='message'><h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p></div><div id='errorref'><span>0ksK6YgAAAADgd38yzqpIQasLDS0yNDFmYTUxODMyMjk=</span></div></div></body></html>%

In the Traefik logs I can see the following:

time="2022-06-28T09:05:22Z" level=debug msg="Serving default certificate for request: \"\""
time="2022-06-28T09:05:22Z" level=debug msg="http: TLS handshake error from 10.9.0.4:20734: EOF"

Here are the diagnostic logs from Azure Front Door: enter image description here

I can't really figure out what the issue is... Could it be that the host header isn't propagated correctly so that Traefik doesn't know how to route it? I have enabled access logs in Traefik, but they don't log anything (I guess the request never reaches that far).

2

I think I've figured out that this is related to SNI (since this is related to HTTPS).

The TLS handshake happens before the server can read the HTTP headers (the Host header containing my-domain.com).

So it will depend on what SNI the Azure Front Door is sending, and that seems to be empty since I'm setting an IP as Host name in the AFD configuration.

Not really sure what the best option is here though, but at least I think I understand the issue.