Route to a service that provides own TLS + Certificate

I have a service which provides it's own SSL certificate and doesn't require termination at a Traefik v2 Router. How does one configure this in a Docker label? Is there a passthrough or something I need to use? Unfortunately, Let's Encrypt is out as this is all behind a private network that's not internet facing.

tldr. My service provides it's own SSL, but I'd like to use Traefik to create the hostname "something.my.domain".

1 Like

I just use the TCP router, but you'd still need a certificate that is recognized on the traefik side. In which case I used letsencrypt for that, but I have an Apache server that will have it's own TLS certificate along with mTLS authentication.

Here's the relevant block

version: "3.7"
services:
  dmz:
    image: httpd:alpine
    deploy:
      replicas: 1
      update_config:
        order: start-first
      restart_policy:
        condition: any
        delay: 10s
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik

        - traefik.tcp.routers.intranet.rule=HostSNI(`i.trajano.net`)
        - traefik.tcp.routers.intranet.entryPoints=https
        - traefik.tcp.routers.intranet.tls.certresolver=staging
        - traefik.tcp.routers.intranet.tls.passthrough=true
        - traefik.tcp.routers.intranet.tls.domains[0].main=i.trajano.net
        - traefik.tcp.routers.intranet.tls.domains[0].sans=i.trajano.net
        - traefik.tcp.routers.intranet.service=intranet

        - traefik.tcp.services.intranet.loadbalancer.server.port=443

    environment:
      - TZ=America/Toronto

    volumes:
      - /d/p/trajano.net/devops-ca-R2.crt:/ca.pem
      - /d/p/trajano.net/intranet_dmz/i.trajano.net.pem:/cert.pem
      - /d/p/trajano.net/intranet_dmz/key.pem:/key.pem
      - /d/p/trajano.net/intranet_dmz/httpd.conf:/usr/local/apache2/conf/httpd.conf

    networks:
      - traefik
      - intranet

I referenced my sanitized stack files in Trajano base Docker swarm stacks

1 Like

Ahhh, this is a great idea. I'll try this and get back to you later if it worked. Thanks!

Worth noting that I can't use Let's Encrypt as this is all on a private network, but I think the theory the above still stands just fine. I just need to give Traefik the private cert that my backend service is also using.

Please share your solution If you get this working.
I need to figure this out too.

It easier without the letsencrypt, just specify your cert and key in your traefik and not bother with the acme json stuff.

There are a couple of earlier thread with the same SSL Passthrough question but no answers:

It would be quite cool if we could cobble together a small working example for v2 for others to use in future, I've certainly seen one for v1 somewhere.

Was told something like that was not possible on v1. Care to share it?

It was awhile ago. May be I mis-remembering.

I was thinking the same thing, the reason why I tried hard to get v2.0 working was because of this limitation. The workaround I had was to use nginx instead.

SSL passthrough is achievable with TCP routers (wasn't that deep into the docs).
Check out my post: