HTTP2 error for TCP router with TLS

I have an IngressRouteTCP configured for Traefik running in an AKS cluster (behind an Azure load balancer). I'm trying to do routing based on SNI, rather than on the hostname header. The certificate used is generated by Cloudflare for

As you can see below, it doesn't work. What does work, is setting a TLSOption with alpnProtocols to http/1.1. But that would default to http/1 as I understand it. My application supports http2, so I'd prefer to use that.

I'm not sure why it fails? Is it Traefik, curl or my application?

Testing it with curl -svk --connect-to gives this:

* Connecting to hostname:
* Connecting to port: 443
*   Trying x.x.x.x:443...
* Connected to (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Sep 20 12:40:00 2022 GMT
*  expire date: Sep 16 12:40:00 2037 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558d30129860)
> GET / HTTP/2
> Host:
> user-agent: curl/7.68.0
> accept: */*
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* http2 error: Remote peer returned unexpected data while we expected SETTINGS frame.  Perhaps, peer does not support HTTP/2 properly.
* Connection #0 to host left intact

I'm using Traefik 2.9.1.

This is my Kubernetes configuration

apiVersion: apps/v1
kind: Deployment
  name: whoami
  replicas: 2
      app: whoami
        app: whoami
        - name: whoami
          image: traefik/whoami:v1.6.0
          imagePullPolicy: IfNotPresent
apiVersion: v1
kind: Service
  name: whoami
    app: whoami
  type: ClusterIP
    - port: 80
      name: whoami
    app: whoami
kind: IngressRouteTCP
  name: whoami
    - websecure
    - match: HostSNI(``)
        - name: whoami
          port: 80
    secretName: cloudflare-cert

These are the only logs related to this that I can find in the logs (the second log line doesn't always come though):

traefik-c757597b9-2xv65 time="2022-10-31T08:52:59Z" level=debug msg="Handling connection from to"
traefik-c757597b9-2xv65 time="2022-10-31T08:52:59Z" level=debug msg="Error during connection: read tcp> read: connection reset by peer"

Those IPs are: - The Kubernetes node - Traefik - The service for the whoami pod

I initially tested this behind Cloudflare, and received this:

I thought it might have been an issue with Traefik, so I created an issue here: HTTP2 error for TCP router with TLS · Issue #9484 · traefik/traefik · GitHub. But it was closed.

I'm really grateful for any input! :smile:

Have you tried setting Traefik log level to debug?

I have, yes. The only logs related to this are the logs I included. I guess it’s because it’s TCP routing that there aren’t more logs maybe? :person_shrugging:

Hey @bluepuma77 , do you have any more suggestions? :blush:

Sorry, no experience with any parts of your stack: tcp entrypoint, k8s, cloudflare