HTTP router applied before TCP router?

sando38 · May 22, 2023, 7:57pm

Hello friends,

I have the following observation and I want to double check that I have no miss-configuration. So, "if both TCP and HTTP listen on the same entrypoint, TCP routes are applied before HTTP" docs.

I run an ejabberd xmpp server. Basically, if I apply only the TCP part (see below), clients connect perfectly via the (non-TLS & TLS) TCP routers. This also works perfectly when I terminate TLS at the router.

However, if I apply the HTTP part (see below), then it seems that the TLS-enabled TCP routers (xmpps-client & xmpps-server) are ignored, because the traffic goes directly to the HTTP router. No connections anymore via the TLS-enabled TCP routers. This applies to both scenarios: TLS passthrough and TLS termination.

Connections via the non-TLS TCP router (xmpp-client) are still possible and work.

All routers use the entrypoint websecure.

tcp:
  routers:
    xmpp-client:
      entryPoints:
        - websecure
      service: xmpp-client-ejabberd
      rule: HostSNI(`*`)

    xmpps-client:
      entryPoints:
        - websecure
      service: xmpps-client-ejabberd
      rule: "ALPN(`xmpp-client`) || HostSNI(`example.net`)"
      priority: 200
      tls:
        passthrough: true

    xmpps-server:
      entryPoints:
        - websecure
      service: xmpps-server-ejabberd
      rule: ALPN(`xmpp-server`)
      priority: 199
      tls:
        passthrough: true

  services:
    xmpp-client-ejabberd:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: xmpp-ejabberd:5222
    xmpps-client-ejabberd:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: xmpp-ejabberd:5223
    xmpps-server-ejabberd:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: xmpp-ejabberd:5270

http:
  routers:
    xmpp-http-ejabberd:
      entryPoints:
        - websecure
      middlewares:
        - https-redirectscheme
        - rate-limit
      service: xmpp-http-ejabberd
      rule: "Host(`example.net`) && PathPrefix(`/captcha`, `...`)"
      priority: 190
      tls:
        options: default
        certResolver: dns-cloudflare
        domains:
          - main: example.net

  services:
    xmpp-http-ejabberd:
      loadBalancer:
        servers:
        - url: http://xmpp-ejabberd:5280
        passHostHeader: true

Additional observation:
Other TCP (also TLS-enabled) are not affected, e.g. this rule is still applied, which only has a different domain in the HostSNI rule:

tcp:
  routers:
    eturnal:
      entryPoints:
        - websecure
      service: eturnal
      rule: HostSNI(`turn.example.net`)
      tls:
        passthrough: true

  services:
    eturnal:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: localhost:5349
´´´

Topic		Replies	Views
TCP reverse proxy working for HTTPS but not HTTP Traefik v2 file , tcp	2	850	June 1, 2020
Route TCP to an SFTP server Traefik v2 tcp	3	1033	July 1, 2023
Configure TCP whoamitcp Traefik v2 tcp	6	1636	May 1, 2020
Mixing http and https ( tls) in one router Traefik v2 file , letsencrypt-acme	4	469	July 14, 2021
How to change to Serve TLS? Traefik v2 tcp	3	263	April 6, 2022

HTTP router applied before TCP router?

Related Topics