Hi!
I have an IngressRouteTCP configured for Traefik running in an AKS cluster (behind an Azure load balancer). I'm trying to do routing based on SNI, rather than on the hostname header. The certificate used is generated by Cloudflare for test.example.com.
As you can see below, it doesn't work. What does work, is setting a TLSOption with alpnProtocols to http/1.1. But that would default to http/1 as I understand it. My application supports http2, so I'd prefer to use that.
I'm not sure why it fails? Is it Traefik, curl or my application?
Testing it with curl -svk --connect-to test.example.com:443:my-azure-load-balancer.cloudapp.azure.com:443 https://test.example.com gives this:
* Connecting to hostname: my-azure-load-balancer.cloudapp.azure.com
* Connecting to port: 443
* Trying x.x.x.x:443...
* TCP_NODELAY set
* Connected to my-azure-load-balancer.cloudapp.azure.com (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
* start date: Sep 20 12:40:00 2022 GMT
* expire date: Sep 16 12:40:00 2037 GMT
* issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558d30129860)
> GET / HTTP/2
> Host: test.example.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* http2 error: Remote peer returned unexpected data while we expected SETTINGS frame. Perhaps, peer does not support HTTP/2 properly.
* Connection #0 to host my-azure-load-balancer.cloudapp.azure.com left intact
I'm using Traefik 2.9.1.
This is my Kubernetes configuration
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami:v1.6.0
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: whoami
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`test.example.com`)
services:
- name: whoami
port: 80
tls:
secretName: cloudflare-cert
These are the only logs related to this that I can find in the logs (the second log line doesn't always come though):
traefik-c757597b9-2xv65 time="2022-10-31T08:52:59Z" level=debug msg="Handling connection from 10.9.3.227:61988 to 10.9.3.73:80"
traefik-c757597b9-2xv65 time="2022-10-31T08:52:59Z" level=debug msg="Error during connection: read tcp 10.9.3.58:34400->10.9.3.73:80: read: connection reset by peer"
Those IPs are:
10.9.3.227 - The Kubernetes node
10.9.3.58 - Traefik
10.9.3.73 - The service for the whoami pod
I initially tested this behind Cloudflare, and received this:
I thought it might have been an issue with Traefik, so I created an issue here: HTTP2 error for TCP router with TLS · Issue #9484 · traefik/traefik · GitHub. But it was closed.
I'm really grateful for any input! 
