MySQL/Mariadb behind Traefik Reverse Proxy

Hello all,
I'm trying to reverse-proxy connections to a mariadb docker image running behind Traefik with TLS offloading. The idea is that clients would connect to Traefik, do the TLS exchange and connect to mariadb behind Traefik. The config is as follows:

The Traefik Endpoint is tls-ep (Port 443)


image: mariadb:latest
restart: unless-stopped
container_name: mariadb
- "$PWD/mariadb:/var/lib/mysql"
- "$PWD/mariadb/mariadb.cnf:/etc/mysql/mariadb.cnf:ro"
- backend
- "traefik.enable=true"
- ""
- "traefik.tcp.routers.mariadb-rtr.entrypoints=tls-ep"
- "traefik.tcp.routers.mariadb-rtr.rule=HostSNI(*)"
- "traefik.tcp.routers.mariadb-rtr.tls=true"
- "traefik.tcp.routers.mariadb-rtr.service=mariadb-svc"
- ""

I can't seem to get it to work. In the Traefik Dashboard everything appears OK but clients are not able to connect. Running mysql -u root -p xxxx -h --port 443 --ssl causes the connection to hang and I don't see any longs in Traefik.

What am I doing wrong?

First, you can only use HostSNI(`*`) with a router that does not use TLS.

Second Mysql/Maria does not use TLS in a compatible manner.

Your best bet is to remove the - "traefik.tcp.routers.mariadb-rtr.tls=true" label and use the mariadb/msql tls options.

It may be possible to encapsulate msql using a product like stunnel on the client end along with a name HostSNI rule with tls enable.

Hi @cakiwi
I tried changing the router host to Host(*) and removed the tls label but now I get "unknown rule Host(*)" If I specify a host like mariadb.domain.tld it errors out because it's a TCP connection.

Did you manage to solve this?
Did you try without TLS?

For me it does not work with plain TCP.