My traefik runs on docker, it is used as my container service proxy
there are two types http service running on backend containers
A: normal nginx container which serve local HTTP services
B: several nginx containers running TCP stream proxy which proxy remote HTTPS service(like github etc)
there are two traefik enpoints at port 80 and 443.
What we expect is that both local HTTP and proxy HTTP service through TCP SNI proxy can run normally
What did you see instead?
when I disable http 3, all jobs work fine as my expected. both service A and service B will be routed correctly.
but then when I enable http3,
only type A services work fine and http3 also work correctly.
all traffic to type B service will return 404 directly.
for example visit https://www.bbb.com will return 404
What version of Traefik are you using?
Version: 3.0.3
Codename: beaufort
Go version: go1.22.4
Built: 2024-06-18T14:31:20Z
OS/Arch: linux/amd64
What is your environment & configuration?
here are seagment of my traefik config
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.reuseport=true"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.reuseport=true"
- "--entrypoints.websecure.asdefault=true"
- "--entrypoints.websecure.http.encodequerysemicolons=true"
- "--entrypoints.websecure.http3=true"
- "--entrypoints.websecure.http3.advertisedport=443"
- "--entrypoints.websecure.forwardedheaders.insecure=true"
.....
here is my type A service config seagment
labels:
traefik.enable: "true"
traefik.http.routers.fakesite.entrypoints: "websecure"
traefik.http.routers.fakesite.rule: 'HostRegexp(`(?i)^img(1|2|3)?\.aaa\.net$`)'
traefik.http.routers.fakesite.service: "fakesite"
traefik.http.services.fakesite.loadbalancer.server.port: 80
traefik.http.routers.fakesite.tls: "true"
traefik.http.routers.fakesite.tls.certresolver: "le"
...
here is my type B service config seagment
labels:
traefik.enable: "true"
traefik.tcp.routers.cfproxy.entrypoints: "websecure"
traefik.tcp.routers.cfproxy.rule: 'HostSNIRegexp(`(?i)^((.+\.)?bbb.com|(.+\.)?github\.com)$`)'
traefik.tcp.routers.cfproxy.service: "cfproxy"
traefik.tcp.services.cfproxy.loadbalancer.server.port: 4432
traefik.tcp.routers.cfproxy.tls: "true"
traefik.tcp.routers.cfproxy.tls.passthrough: "true"
......
If applicable, please paste the log output in DEBUG level
172.19.0.1 - - [29/Jun/2024:10:20:47 +0000] "GET / HTTP/3.0" 404 19 "-" "-" 1 "-" "-" 0ms
172.19.0.1 - - [29/Jun/2024:10:20:47 +0000] "GET /favicon.ico HTTP/3.0" 404 19 "-" "-" 2 "-" "-" 0ms
Question
Is it because http3 runs on udp, and udp does not implement HostSNIRegexp?