Hello,
I'm still trying to accomplish what I set out to do, as described in this thread:
Unfortunately the issue still persists, traefik can talk to the backend via HTTPS, only with the passthrough option, which leads my browser to get the insecure HTTPS certificate of the backend service, instead of traefik's frontend certificate.
Does anyone know what is the ideal way to solve this problem?
- static: traefik.yml
serversTransport:
insecureSkipVerify: true
providers:
file:
filename: /etc/traefik/config.yml
watch: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: web-secure
scheme: https
permanent: true
web-secure:
address: :443
- dynamic: config.yml
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/frontend.crt
keyFile: /etc/traefik/certs/frontend.key
certificates:
- certFile: /etc/traefik/certs/frontend.crt
keyFile: /etc/traefik/certs/frontend.key
stores:
- default
tcp:
routers:
serviceA-router:
rule: "HostSNI(`sub.domain.tld`)"
service: serviceA
tls:
passthrough: true
domains:
- main: "*.domain.tld" # frontend.crt covers this wildcard
services:
serviceA:
loadBalancer:
servers:
- address: hostname:8443