I have traefik (v2.6.1) running in a Kubernetescluster (EKS). In front of the cluster sits an NLB forwarding all traffic as plain tcp to traefik.
This works like a charm for normal http/s-traffic on port 80/443
So, I have a few ingresses, traefik handles tls and the apps behind those ingresses are reachable.
Now comes my challenge.
I have some other apps, which speak http too, but on a custom port. Traefik should handle tls for these apps too.
How would I do that?
I was under the impression that I would do that with dedicated entrypoints and the ingressroutetcp CRD.
So I added the needed entrypoints to traefik via helm:
ports: web: redirectTo: websecure websecure: tls: enabled: true tcp10000: port: 10000 expose: true exposedPort: 10000 protocol: TCP
And setup a ingressroutetcp crd:
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: ingressroutetcpfoo namespace: test spec: entryPoints: - tcp10000 routes: - match: HostSNI(`test.example.com`) services: - name: test port: 10000 tls: passthrough: false domains: - main: test.example.com secretName: test-secret
This is all accepted by traefik, but if I try to connect to my app (e.g. doing a simple curl), I get an error like this:
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
If I try to use http, I get a "400 Bad Request" error, which at least tells me, I hit traefik with my request.
Note: non of my requests is visible on the logs (debug and accesslogs enabled).
What do I do wrong here?
Could I do this by using a standard Ingress and just setting the entrypoint as I just use http/s but on a different port?
Any help is very much appreciated.