I have the following observation and I want to double check that I have no miss-configuration. So, "if both TCP and HTTP listen on the same entrypoint, TCP routes are applied before HTTP" docs.
I run an ejabberd xmpp server. Basically, if I apply only the TCP part (see below), clients connect perfectly via the (non-TLS & TLS) TCP routers. This also works perfectly when I terminate TLS at the router.
However, if I apply the HTTP part (see below), then it seems that the TLS-enabled TCP routers (
xmpps-server) are ignored, because the traffic goes directly to the HTTP router. No connections anymore via the TLS-enabled TCP routers. This applies to both scenarios: TLS passthrough and TLS termination.
Connections via the non-TLS TCP router (
xmpp-client) are still possible and work.
All routers use the entrypoint
tcp: routers: xmpp-client: entryPoints: - websecure service: xmpp-client-ejabberd rule: HostSNI(`*`) xmpps-client: entryPoints: - websecure service: xmpps-client-ejabberd rule: "ALPN(`xmpp-client`) || HostSNI(`example.net`)" priority: 200 tls: passthrough: true xmpps-server: entryPoints: - websecure service: xmpps-server-ejabberd rule: ALPN(`xmpp-server`) priority: 199 tls: passthrough: true services: xmpp-client-ejabberd: loadBalancer: proxyProtocol: version: 2 servers: - address: xmpp-ejabberd:5222 xmpps-client-ejabberd: loadBalancer: proxyProtocol: version: 2 servers: - address: xmpp-ejabberd:5223 xmpps-server-ejabberd: loadBalancer: proxyProtocol: version: 2 servers: - address: xmpp-ejabberd:5270
http: routers: xmpp-http-ejabberd: entryPoints: - websecure middlewares: - https-redirectscheme - rate-limit service: xmpp-http-ejabberd rule: "Host(`example.net`) && PathPrefix(`/captcha`, `...`)" priority: 190 tls: options: default certResolver: dns-cloudflare domains: - main: example.net services: xmpp-http-ejabberd: loadBalancer: servers: - url: http://xmpp-ejabberd:5280 passHostHeader: true
Other TCP (also TLS-enabled) are not affected, e.g. this rule is still applied, which only has a different domain in the HostSNI rule:
tcp: routers: eturnal: entryPoints: - websecure service: eturnal rule: HostSNI(`turn.example.net`) tls: passthrough: true services: eturnal: loadBalancer: proxyProtocol: version: 2 servers: - address: localhost:5349 ´´´