Hello friends,
I have the following observation and I want to double check that I have no miss-configuration. So, "if both TCP and HTTP listen on the same entrypoint, TCP routes are applied before HTTP" docs.
I run an ejabberd xmpp server. Basically, if I apply only the TCP part (see below), clients connect perfectly via the (non-TLS & TLS) TCP routers. This also works perfectly when I terminate TLS at the router.
However, if I apply the HTTP part (see below), then it seems that the TLS-enabled TCP routers (xmpps-client
& xmpps-server
) are ignored, because the traffic goes directly to the HTTP router. No connections anymore via the TLS-enabled TCP routers. This applies to both scenarios: TLS passthrough and TLS termination.
Connections via the non-TLS TCP router (xmpp-client
) are still possible and work.
All routers use the entrypoint websecure
.
tcp:
routers:
xmpp-client:
entryPoints:
- websecure
service: xmpp-client-ejabberd
rule: HostSNI(`*`)
xmpps-client:
entryPoints:
- websecure
service: xmpps-client-ejabberd
rule: "ALPN(`xmpp-client`) || HostSNI(`example.net`)"
priority: 200
tls:
passthrough: true
xmpps-server:
entryPoints:
- websecure
service: xmpps-server-ejabberd
rule: ALPN(`xmpp-server`)
priority: 199
tls:
passthrough: true
services:
xmpp-client-ejabberd:
loadBalancer:
proxyProtocol:
version: 2
servers:
- address: xmpp-ejabberd:5222
xmpps-client-ejabberd:
loadBalancer:
proxyProtocol:
version: 2
servers:
- address: xmpp-ejabberd:5223
xmpps-server-ejabberd:
loadBalancer:
proxyProtocol:
version: 2
servers:
- address: xmpp-ejabberd:5270
http:
routers:
xmpp-http-ejabberd:
entryPoints:
- websecure
middlewares:
- https-redirectscheme
- rate-limit
service: xmpp-http-ejabberd
rule: "Host(`example.net`) && PathPrefix(`/captcha`, `...`)"
priority: 190
tls:
options: default
certResolver: dns-cloudflare
domains:
- main: example.net
services:
xmpp-http-ejabberd:
loadBalancer:
servers:
- url: http://xmpp-ejabberd:5280
passHostHeader: true
Additional observation:
Other TCP (also TLS-enabled) are not affected, e.g. this rule is still applied, which only has a different domain in the HostSNI rule:
tcp:
routers:
eturnal:
entryPoints:
- websecure
service: eturnal
rule: HostSNI(`turn.example.net`)
tls:
passthrough: true
services:
eturnal:
loadBalancer:
proxyProtocol:
version: 2
servers:
- address: localhost:5349
ยดยดยด