HostSNI cant connect with dbeaver

DenisKirichenko24 · October 31, 2023, 12:22pm

Hello guys,

K8s, Traefik 20.8

I have pgbouncer service like ClusterIP and i would like to connect to it with DBeaver.

I opened a 6432 port in my LoadBalancer to proxy connection from it to my pgbouncer port

entryPoints:
  pgbouncer:
    address: ':6433/tcp'
ports:
  pgbouncer:
    port: 6433 # where my pgbouncer working
    expose: true
    exposedPort: 6432 # where i want to connect 
    protocol: TCP

My Ingressroutetcp config

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: pgbouncer-ingressroute
spec:
  entryPoints:
      - pgbouncer
  routes:
  - match: HostSNI(`pgbouncer.uat.data.yac.rupn.mars-ad.net')
    services:
    - name: pgbouncer
      port: 6433
  tls:
    passthrough: true

I can see in dashboard that my router is made and it has status is OK with rule service etc.

Also

Test-NetConnection -ComputerName pgbouncer.uat.data.yac.rupn.mars-ad.net -Port 6432

ComputerName : pgbouncer.uat.data.yac.rupn.mars-ad
RemoteAddress : 10.240.132.99
RemotePort : 6432
InterfaceAlias : Ethernet 2
SourceAddress : 10.192.84.164
TcpTestSucceeded : True

nslookup passed okay for pgbouncer.uat.data.yac.rupn.mars-ad with IP what i need

nmap passed okay for pgbouncer.uat.data.yac.rupn.mars-ad with 6432 port open status

But when i am trying to connect with DBeaver host pgbouncer.uat.data.yac.rupn.mars-ad.net port 6432 i received Read timed out. I stuck on this already 1 week and cant understand what could be a problem.

PS i put pgbouncer.uat.data.yac.rupn.mars-ad cause i cant post more than 4 links in a post

I think I am missing something important but idk what.

Thanks a lot in advance!

cakiwi · October 31, 2023, 8:29pm

Last time I checked(~~a while ago now~~just now) the postgres wire protocol does not complete a TLS handshake so HostSNI will not work.

In fact a SSLRequest is sent and the server will send a N or S in response.

To continue after S, perform an SSL startup handshake (not described here, part of the SSL specification) with the server

bluepuma77 · October 31, 2023, 9:41pm

If no TLS is used, you can only use HostSNI(`*`), which usually means you have to use a dedicated port per target service.

DenisKirichenko24 · November 1, 2023, 8:56am

Yeap, i changed to '*' and took out tls: passthrough: true and now everything working fine, thanks a lot for help:)

DenisKirichenko24 · November 1, 2023, 8:57am

Yeap, thanks a lot, i fix it:)

system · November 4, 2023, 8:58am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create an ingress for TCP router? Traefik v2 (latest) tcp	8	11334	May 21, 2020
Problem for FTP behind traefik v2 Traefik v2 (latest) tcp	2	2372	March 25, 2020
OpenVPN behind Traefik via an IngressRouteTCP Traefik v2 (latest) kubernetes-ingress	1	1260	November 13, 2019
Can traefik be a proxy for ldap connection Traefik v2 (latest) kubernetes-ingress , tcp	2	1575	March 23, 2021
DNS Requests to Port 53 Over TCP Timeout Traefik v2 (latest) kubernetes-ingress , tcp	3	1853	October 13, 2021

HostSNI cant connect with dbeaver

Related Topics