Hosting a HTTP-App on a custom TCP-Port with TLS

Hello there,

I have traefik (v2.6.1) running in a Kubernetescluster (EKS). In front of the cluster sits an NLB forwarding all traffic as plain tcp to traefik.
This works like a charm for normal http/s-traffic on port 80/443
So, I have a few ingresses, traefik handles tls and the apps behind those ingresses are reachable.

Now comes my challenge.
I have some other apps, which speak http too, but on a custom port. Traefik should handle tls for these apps too.
How would I do that?

I was under the impression that I would do that with dedicated entrypoints and the ingressroutetcp CRD.

So I added the needed entrypoints to traefik via helm:

    redirectTo: websecure
      enabled: true
    port: 10000
    expose: true
    exposedPort: 10000
    protocol: TCP

And setup a ingressroutetcp crd:

kind: IngressRouteTCP
  name: ingressroutetcpfoo
  namespace: test
    - tcp10000
  - match: HostSNI(``)
    - name: test
      port: 10000
    passthrough: false
      - main:
    secretName: test-secret

This is all accepted by traefik, but if I try to connect to my app (e.g. doing a simple curl), I get an error like this:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

If I try to use http, I get a "400 Bad Request" error, which at least tells me, I hit traefik with my request.
Note: non of my requests is visible on the logs (debug and accesslogs enabled).

What do I do wrong here?
Could I do this by using a standard Ingress and just setting the entrypoint as I just use http/s but on a different port?

Any help is very much appreciated.

I fixed it.
The problem was that the NLB sent the proxy_protocol and Traefik did not interpret that on the tcp-entrypoint.