Multiple TCP proxies to different hosts:ports

Hi there.

I have a use case where I need to dynamically add TCP proxies to external hosts.

I am running 3.6 in docker and use file provider.

For my HTTP(s) connections I use dynamic files and that works easily using a simple API and some jinja.

However for the TCP I need to be able to create a TCP proxy to an external ip. The connections will be either RDP, SSH or gRPC. Because I do not know when I start Traefik how many of each type, could be zero could be 300 or what the destination is I need to do this programatically.

e.g.
host1.mysite.com –> 10.21.2.50:22
host2mysite.com –> 10.22.2.50:22
or RDP
rdp.mysite.com –> 10.21.2.50:3389

I am a little, quite a little (very) confused on how to make this work. Any nudges would be greatly appreciated.

My docker-compose looks like:
``` yaml
services:

traefik:

image: traefik:v3.6

container_name: traefik

restart: unless-stopped

security_opt:

- no-new-privileges:true

networks:

- proxy

ports:

- "80:80"

- "443:443"

- "5500:5500"

- "2222:2222"

volumes:

- /var/run/docker.sock:/var/run/docker.sock:ro

- ./certs:/certs

- ./dynamic:/dynamic:ro

command:

- "--entrypoints.web.address=:80"

- "--entrypoints.web.http.redirections.entrypoint.to=websecure"

- "--entrypoints.web.http.redirections.entrypoint.scheme=https"

- "--entrypoints.web.http.redirections.entrypoint.permanent=true"

- "--entrypoints.websecure.address=:443"

- "--entrypoints.websecure.http.tls=true"

- "--entrypoints.ssh.address=:2222"

# Providers

- "--providers.file.directory=/dynamic"

- "--providers.file.watch=true"

- "--providers.docker=true"

- "--providers.docker.exposedbydefault=false"

- "--providers.docker.network=proxy"

# API & Dashboard

- "--api.dashboard=true"

- "--api.insecure=false"

# Lets Encrypt

environment:

- CF_DNS_API_TOKEN=

# Traefik Dynamic configuration via Docker labels

labels:

# Enable self‑routing

- "traefik.enable=true"

networks:

proxy:

name: proxy

external: true
```

TCP routers are added in dynamic config files like HTTP routers, there is no difference.

Dynamic config files are read via providers.file, which can watch a directory for updated files and will automatically reload config.

The challenge is that TCP routers need TLS to be able to identify the target service. For this the TLS cert needs to be know to Traefik, then use HostSNI(). If the TCP connection is not using TLS, then Traefik can only use HostSNI(`*`) and you need to differentiate via ports.

The only thing that can’t be done dynamically, is adding listening ports and entrypoints, those are static, you would need to restart Traefik to add more.

Maybe check simple Traefik TCP example. Dynamic config from labels can also be placed in dynamic config files.

Thanks for the quick response. Pretty much what I had expected, there is no easy way around the entrypoint challenge, either deal with restarts (yuk) or plan ahead.

Whats the workload impact if I open a large range (300 for example) of entry-points?

Not sure, maybe just try and report back

ROFL

Will let you know…