Http 3 does not work as expected on tcp backend service

Traefik Traefik v3 (latest)
, ,
1

My traefik runs on docker, it is used as my container service proxy
there are two types http service running on backend containers

A: normal nginx container which serve local HTTP services
B: several nginx containers running TCP stream proxy which proxy remote HTTPS service(like github etc)

there are two traefik enpoints at port 80 and 443.

What we expect is that both local HTTP and proxy HTTP service through TCP SNI proxy can run normally

What did you see instead?

when I disable http 3, all jobs work fine as my expected. both service A and service B will be routed correctly.

but then when I enable http3,

only type A services work fine and http3 also work correctly.

all traffic to type B service will return 404 directly.
for example visit https://www.bbb.com will return 404

What version of Traefik are you using?

Version:      3.0.3
Codename:     beaufort
Go version:   go1.22.4
Built:        2024-06-18T14:31:20Z
OS/Arch:      linux/amd64

What is your environment & configuration?

here are seagment of my traefik config

      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.reuseport=true"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.reuseport=true"
      - "--entrypoints.websecure.asdefault=true"
      - "--entrypoints.websecure.http.encodequerysemicolons=true"
     - "--entrypoints.websecure.http3=true"
      - "--entrypoints.websecure.http3.advertisedport=443"
      - "--entrypoints.websecure.forwardedheaders.insecure=true"
      .....

here is my type A service config seagment

    labels:
      traefik.enable: "true"
      traefik.http.routers.fakesite.entrypoints: "websecure"
      traefik.http.routers.fakesite.rule: 'HostRegexp(`(?i)^img(1|2|3)?\.aaa\.net$`)'
      traefik.http.routers.fakesite.service: "fakesite"
      traefik.http.services.fakesite.loadbalancer.server.port: 80
      traefik.http.routers.fakesite.tls: "true"
      traefik.http.routers.fakesite.tls.certresolver: "le"
      ...

here is my type B service config seagment

    labels:
      traefik.enable: "true"
      traefik.tcp.routers.cfproxy.entrypoints: "websecure"
      traefik.tcp.routers.cfproxy.rule: 'HostSNIRegexp(`(?i)^((.+\.)?bbb.com|(.+\.)?github\.com)$`)'
      traefik.tcp.routers.cfproxy.service: "cfproxy"
      traefik.tcp.services.cfproxy.loadbalancer.server.port: 4432
      traefik.tcp.routers.cfproxy.tls: "true"
      traefik.tcp.routers.cfproxy.tls.passthrough: "true"
      ......

If applicable, please paste the log output in DEBUG level

172.19.0.1 - - [29/Jun/2024:10:20:47 +0000] "GET / HTTP/3.0" 404 19 "-" "-" 1 "-" "-" 0ms
172.19.0.1 - - [29/Jun/2024:10:20:47 +0000] "GET /favicon.ico HTTP/3.0" 404 19 "-" "-" 2 "-" "-" 0ms

Question

Is it because http3 runs on udp, and udp does not implement HostSNIRegexp?