serversTransport vs<service_name>.loadbalancer.server.scheme


What is the difference between serversTransport and<service_name>.loadbalancer.server.scheme? When use each other?

Thank you.


AFAIK the scheme is only available for providers.docker to use https with the Traefik Configuration Discovery.

I thought that it was to enforce TLS between Traefik Proxy and the target service, isn't it?

Another thing, this article, section " What about passthrough?", from the Traefik blog says to use the following when services handle TLS by themselves. But we needed to use HostSNI(`*`) for that issue.

  - "``)"
  - ""

Yes, scheme=https can be used in labels when your target service/container is not using http, but https/TLS.

When the target service is managing TLS on its own (and it’s not available in Traefik), then you can just use HostSNI(`*`).

If you put in a domain name (and the cert is not available in Traefik), Traefik will generate a custom TLS cert, because it needs to have the cert to read HostSNI of a TLS connection to match to the rule.


With scheme=https where is handled the certificate? Is it the alternative of passthrough for HTTP router?

In what case the code, descibed into the blog, works? In case of, for example, Let's Encrypt auto-generate certificates?
TLS is not enabled in the above code, so why Traefik tries to reach a certificate? It is beacause passthrough doesn't terminate TLS but also has to use the same certificate, loaded in Traefik, in the connection to the target service?

Usually a reverse proxy is used for TLS termination (custom or LE), uses http internally to forward requests.

With scheme=https you tell Traefik to use https/TLS internally, but that may be a different TLS cert, depending on the target service. Target must be trusted or insecureSkipVerify.

With passthrough you instruct Traefik to take the encrypted traffic and just pass it on with a plain TCP connection. It will not intercept and terminate TLS.

Thank you @bluepuma77

Ok for scheme=https.
What about the example code above?

You mean this config? It will only work if both Traefik and the target service have access to the same valid TLS cert.

Yes, great, thank you very much for your explainations.