How to do TLS terminate and HTTPS on port 443

How can I do something convert rules below to Traefik 2.0?
Im doing Dns-over-TLS / HTTPS on port 443

// Haproxy 2.0 conf 

frontend front_end_doh_dot_443
    mode tcp

    bind :::443

    acl tls req.ssl_hello_type 1
    tcp-request inspect-delay 1s
    tcp-request content accept if tls

    use_backend dot-uncensor  if { req_ssl_sni -i }
    use_backend doh-front if { req_ssl_sni -i }
    default_backend dot-uncensor

frontend dot-in-uncensor
    mode tcp
    bind ssl crt /etc/haproxy/dot-jp.blahdns.pem
    default_backend dot-servers-uncensor

frontend doh-in
    mode http
    bind ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
    acl adblock_url path_beg -i /dns-query
    use_backend doh-servers-uncensor if adblock_url

backend dot-uncensor
    mode tcp
    server dot-uncensor-haproxy-ssl check

backend doh-front
    mode tcp
    server doh-haproxy-ssl check

backend doh-servers-uncensor
    mode http
    http-response del-header server
    http-response del-header x-powered-by
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
    server doh-proxy-uncensor


Hi @broenccc, as we might not be haproxy specialists, could you explain the intents of the rules you provided?

By describing the rules in a human language instead of specific tool, we could be able to help you better :slight_smile:

To get started:

You have an example for MongoDB doing the same kind of SNI-based routing, that you can find here:

Both are TCP on port 443
I have 2 scenario

  1. DNS-over-TLS -> tls://, will terminate the TLS, it will send the query to backend dns server @5353
  2. DNS-over-HTTPS -> , will pass ur JSON data to upstream server @3000

I want to use SNI to detect to figure out which backend server need to be pass, on DNS-over-HTTPS use case, If client request with path /dns-query will drop by default. DNS-over-TLS will force SNI too.

A good start:

  • traefik.toml

  filename = "./dyn-config.toml"

    address = ":80"

    address = ":443"
  • dyn-config.toml:
    rule = "Host(``)"
    service = "dns-over-https-svc"

    rule = "HostSNI(``)"
    service = "dns-over-tcp-svc"

       address = ""
       address = ""

  certFile = "/etc/haproxy/dot-jp.blahdns.cert"
  keyFile = "/etc/haproxy/dot-jp.blahdns.key"

(you can also use YAML if you prefer, please check the doc: for this).

1 Like

I got this error

ERRO[2019-08-01T05:37:35Z] the service "dns-over-https-svc@file" does not exist  entryPointName=web-secure routerName=dns-over-https@file


Problem solved and everything works perfectly. Thanks for your help.
Working conf:


Oh sorry for the typo, I put the https service under [] . But I see that you figured it out :+1: