Error while handling TCP connection

Traefik Traefik v2 (latest)
, ,
1

Hi all,
I placed the following labels on a container that is part of the traefik network, so that traefik works transparently without using its tls, but I get the following error that keeps repeating in the traefik logs, what did I do wrong?

Labels:

    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"  # Use HostSNI to match any SNI
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"  # Use your desired entry point, 'websecure' may be your secure HTTPS entry point
      - "traefik.tcp.services.fleetdm.loadbalancer.server.port=8080"  # Replace 8080 with the appropriate port on which your service listens

Error:

{"level":"debug","msg":"Handling TCP connection from 10.100.139.2:55841 to 172.21.0.5:8080","time":"2023-08-09T15:35:30Z"}
{"level":"debug","msg":"Handling TCP connection from 10.100.139.2:55842 to 172.21.0.5:8080","time":"2023-08-09T15:35:30Z"}
{"level":"error","msg":"Error while handling TCP connection: readfrom tcp 172.21.0.4:57758-\u003e172.21.0.5:8080: read tcp 172.21.0.4:443-\u003e10.100.139.2:55842: read: connection reset by peer","time":"2023-08-09T15:35:30Z"}

thanks

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

3

hi @bluepuma77 as anticipated in previous posts, traefik is configured to be reached by pfsense in 80 and then turn the request to the various applications always in port 80.
but this is the only application where the pfsense reaches traefik on port 443 and traefik has to forward the request as is to the application without applying its tls, as it is the only application that uses its own tls.

Thanks

Traefik conf:

docker-compose.yml:

version: '3.9'
services:
  traefik:
    image: traefik:v2.10
    container_name: Traefik
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      # - 8080:8080  # Porta opzionale per l'interfaccia di amministrazione di Traefik !non usare in prod!
    volumes:
      - /data/docker/appdata/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /data/docker/logs/traefik:/var/log/traefik
    networks:
      - Proxy
networks:
  Proxy:
    external: true

traefik.yml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level: DEBUG

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  format: json
  filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
accesslog:
   format: json  # common, json, logfmt
   filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true  # true by default
  insecure: false # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    #http:
    #  redirections:
    #    entryPoint:
    #      to: websecure
    #      scheme: https

  websecure:
    address: :443
  mysql:
    address: :3306
# Configure your CertificateResolver here...
# ---
#certificatesResolvers:
#  staging:
#    acme:
#      email: webmaster@company.it
#      storage: /etc/traefik/certs/acme.json
#      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
#            httpChallenge:
#        entryPoint: web
#  production:
#    acme:
#      email: webmaster@company.it
#      storage: /etc/traefik/certs/acme.json
#      caServer: "https://acme-v02.api.letsencrypt.org/directory"
#      httpChallenge:
#        entryPoint: web

# (Optional) Overwrite Default Certificates
#tls:
#  stores:
#    default:
#      defaultCertificate:
#        certFile: /etc/traefik/certs/cert.pem
#        keyFile: /etc/traefik/certs/cert-key.pem
        #caFile: /etc/traefik/certs/ca.pem
#   certificates:
#    - certFile: /etc/traefik/certs/cert.pem
#      keyFile: /etc/traefik/certs/cert-key.pem
      #     #caFile: /etc/traefik/certs/ca.pem
# (Optional) Disable TLS version 1.0 and 1.1
#  options:
#    default:
#      minVersion: VersionTLS12

        #    mintls13:
        #      minVersion: VersionTLS13

providers:
  docker:
    exposedByDefault: false
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true


# Dynamic Configuration
http:
  routers:
    dashboard:
      rule: Host(`rproxy.company.it`) #&& (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
      #tls: {}

      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        usersFile: "/etc/traefik/.htpasswd"

=======================
APP DOCKER-COMPOSE.YML:

version: '3.9'
services:
  mailhog:
    restart: always
    container_name: Fleet_Mailhog
    image: mailhog/mailhog:latest
    ports:
      - "8025:8025"
      - "1025:1025"
    networks:
      - Proxy

  redis:
    restart: always
    container_name: Fleet_Redis
    image: redis:5
    ports:
      - "6379:6379"
    networks:
      - Proxy

  fleetdm:
    restart: always
    container_name: Fleet
    image: fleetdm/fleet:v4.34.1
    volumes:
      - /data/docker/appdata/fleet:/fleet
      - /data/docker/logs/fleet:/var/log/fleet
    command: sh -c "echo '\n' | /usr/bin/fleet prepare db && /usr/bin/fleet serve &> /var/log/fleet/audit.log"
    environment:
      FLEET_MYSQL_ADDRESS: 172.21.0.2:3306
      FLEET_MYSQL_DATABASE: fleet
      FLEET_MYSQL_USERNAME: app
      FLEET_MYSQL_PASSWORD: ****************
      FLEET_REDIS_ADDRESS: redis:6379
      FLEET_SERVER_CERT: /fleet/itl-cslapp-54.local.crt
      FLEET_SERVER_KEY: /fleet/itl-cslapp-54.local.key
      FLEET_LOGGING_JSON: "true"
      FLEET_AUTH_JWT_KEY:
      FLEET_ACTIVITY_ENABLE_AUDIT_LOG: "true"
      #FLEET_FILESYSTEM_ENABLE_LOG_ROTATION: "true"
      FLEET_ACTIVITY_AUDIT_LOG_PLUGIN: filesystem
      #FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION: "true"
      FLEET_FILESYSTEM_AUDIT_LOG_FILE: /var/log/fleet/audit.log
      FLEET_OSQUERY_STATUS_LOG_PLUGIN: filesystem
      FLEET_FILESYSTEM_STATUS_LOG_FILE: /var/log/fleet/osqueryd.status.log
      FLEET_OSQUERY_RESULT_LOG_PLUGIN: filesystem
      FLEET_FILESYSTEM_RESULT_LOG_FILE: /var/log/fleet/osqueryd.results.log
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"  # Use HostSNI to match any SNI
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"  # Use your desired entry point, 'websecure' may be your secure HTTPS entry point
      - "traefik.tcp.services.fleetdm.loadbalancer.server.port=8080"  # Replace 8080 with the appropriate port on which your service listens
    networks:
      - Proxy

networks:
  Proxy:
    external: true
4

needs to go into a separate file, loaded via provider.file in the static config.

5

Thanks @bluepuma77 , so how should it be?

6

You need two files, one static traefik.yml and one dynamic traefik-dynamic.yml, which is loaded in traefik.yml using provider.file. (Doc)

Place the part of your configuration with # Dynamic Configuration in the dynamic config file.

7

So to be done like this?

tcp:
  routers:
    my-tcp-router:
      rule: "HostSNI(`*`)"  # Match any SNI (Server Name Indication)
      service: my-tcp-service

  services:
    my-tcp-service:
      loadBalancer:
        servers:
          - address: "your_target_service_address:port"
8

Add the entrypoint to the router, which is dedicated only for this TCP connection on a separate port.

See simple Traefik TCP example.