Pass traefik to caddy with self signed certificates

I have been using caddy and now trying to integrate it together with traefik.

I have successfully reversed proxied the real domains, but now I wanted to passthrough the internal lan domains, domains like *.home.lan, they are using the caddy self signed certificates so I have added these labels to my caddy docker instance:

  - traefik.tcp.routers.caddyzima.entrypoints=websecure
  - traefik.tcp.routers.caddyzima.rule=HostSNI(`zima.home.lan`)
  - traefik.tcp.routers.caddyzima.tls.passthrough=true

And in my traefik.yml I have set the serversTransport: to insecureSkipVerify: true

But it doesnt work when I try to reach the domain.
curl -v https://zima.home.lan results in:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to zima.home.lan:443

Any idea of what I am doing wrong here?

When you use

then Traefik needs access to the TLS cert to read the domain from the request. If no cert is available, Traefik will generate a custom one. And that custom encrypted traffic is then forwarded to caddy which does not know the cert.

To forward traffic in Traefik without a TLS cert, you can only use HostSNI(`*`).


Thinking about it, this will not work, as TCP routers are processed before http routers, so all requests will match this first and will be forwarded to caddy.

So you would need to use a different port or provide the caddy cert to Traefik.


Dirty hack regarding the port: create a html service for Traefik with the target domain that just redirects to the different port. That way you can access it without adding the port in URL, browser will be redirected. You will see it in the URL then, but you never have to type it.

I actually needed to add a tcp load balancer and it worked