Impossible to passthrough tls

hi, i'm trying to set up passthrough tls but i can't.

at the moment Traefik, is set up with only http entrypoint on port 80, as it has a pfsense in front of it that handles certificates.

but in this case, i have the FleetDM service, which has its own tls certificates, i would like to make traefik work transparently as follows:
CLIENT => HTTPS > PFSENSE => HTTPS => TRAEFIK => HTTPS=> Fleet.

only by setting the following labels, it keeps giving me 404 page not found, how do I get it to work transparently for that backend since it doesn't have https entrypoint enabled?

labels:
- "traefik.enable=true"
- "traefik.http.routers.fleetdm.rule=Host(it-asset.company.it)"
- "traefik.http.routers.fleetdm.entrypoints=web"
- "traefik.http.services.fleetdm.loadbalancer.server.port=8080"

thanks to those who will help me

1 Like

If you want to pass a TLS connection (with the same cert) through Traefik, you have two options:

  1. Load the TLS cert in Traefik to use a http/s router. Use TLS passthrough to not terminate TLS but also use the same cert in the connection to the target service.

  2. If the TLS cert is unavailable to Traefik, you can only use an additional entrypoint and use a TCP router with rule HostSNI(`*`) and a TCP service (only single service on port). Do not enable TLS on this router, or Traefik will generate a custom Traefik cert.

hi @blupuma77 the certificate is only available on the backend and on the pfsense which is in front of the traefik, the traefik has always operated only with entrypoinyt http on port 80, can you tell me how to use the second proposed solution?

how do i edit the labels i put in the backend docker-compose.yml?

actual labels:

  • "traefik.enable=true"
  • "traefik.http.routers.fleetdm.rule=Host( it-asset.company.it )"
  • "traefik.http.routers.fleetdm.entrypoints=web"
  • "traefik.http.services.fleetdm. loadbalancer.server.port=8080"

thanks

Which service(s) do you consider "the backend"?

Is Traefik only used for that TLS connection? If not, you should use a additional entrypoint/port.

Here is a simple Traefik TCP example.

@bluepuma77 the backend is the server behind traefik.
Until now traefik has always worked this way:
pfsense => 80 => traefik => 80 => backend service/server

now i would need this:
pfsense => 443 => traefik => https(8080) => backend server
or
pfsense => 80 => traefik => https(8080) => backend server

1 Like