serversTransport vs traefik.http.services.<service_name>.loadbalancer.server.scheme

bremoi · December 19, 2023, 8:40pm

Hi,

What is the difference between serversTransport and traefik.http.services.<service_name>.loadbalancer.server.scheme? When use each other?

Thank you.

Regards

bluepuma77 · December 19, 2023, 8:48pm

AFAIK the scheme is only available for providers.docker to use https with the Traefik Configuration Discovery.

bremoi · December 19, 2023, 9:03pm

I thought that it was to enforce TLS between Traefik Proxy and the target service, isn't it?

Another thing, this article, section " What about passthrough?", from the Traefik blog says to use the following when services handle TLS by themselves. But we needed to use HostSNI(`*`) for that issue.

labels:
  - "traefik.tcp.routers.my-tcp-app.rule=HostSNI(`tcp-example.com`)"
  - "traefik.tcp.routers.my-tcp-app.tls.passthrough=true"

bluepuma77 · December 19, 2023, 9:18pm

Yes, scheme=https can be used in labels when your target service/container is not using http, but https/TLS.

When the target service is managing TLS on its own (and it’s not available in Traefik), then you can just use HostSNI(`*`).

If you put in a domain name (and the cert is not available in Traefik), Traefik will generate a custom TLS cert, because it needs to have the cert to read HostSNI of a TLS connection to match to the rule.

bremoi · December 19, 2023, 9:36pm

Thanks.

With scheme=https where is handled the certificate? Is it the alternative of passthrough for HTTP router?

In what case the code, descibed into the blog, works? In case of, for example, Let's Encrypt auto-generate certificates?
TLS is not enabled in the above code, so why Traefik tries to reach a certificate? It is beacause passthrough doesn't terminate TLS but also has to use the same certificate, loaded in Traefik, in the connection to the target service?

bluepuma77 · December 20, 2023, 6:51am

Usually a reverse proxy is used for TLS termination (custom or LE), uses http internally to forward requests.

With scheme=https you tell Traefik to use https/TLS internally, but that may be a different TLS cert, depending on the target service. Target must be trusted or insecureSkipVerify.

With passthrough you instruct Traefik to take the encrypted traffic and just pass it on with a plain TCP connection. It will not intercept and terminate TLS.

bremoi · December 20, 2023, 2:26pm

Thank you @bluepuma77

Ok for scheme=https.
What about the example code above?

bluepuma77 · December 20, 2023, 9:28pm

You mean this config? It will only work if both Traefik and the target service have access to the same valid TLS cert.

bremoi · December 21, 2023, 1:29pm

Yes, great, thank you very much for your explainations.

Topic		Replies	Views
Tls.passthrough with cert possible? Traefik v2 docker	2	1022	October 31, 2023
TLS passthrough, no SNI Traefik v3 (latest) docker , file	3	402	August 22, 2024
Use external loadbalancer service as https Traefik v2 docker , file	0	1549	April 30, 2021
TLS passthrough for HTTP router Traefik v2 docker , file	9	7944	May 10, 2023
HTTPS Reverse Proxy to HTTPS service: Do I need new certs? Traefik v2 file	3	3060	January 20, 2024

serversTransport vs traefik.http.services.<service_name>.loadbalancer.server.scheme

Related topics