SNI problem since this morning, HostRegexp management

Traefik Traefik v3 (latest)
1

Hi,

I have this conf in kubernetes crd, worked for months (also in docker) till this morning, then started to give SNI errors on all websites, something changed?

Thank you very much

apiVersion: v1
kind: Namespace
metadata:
  name: traefik-external
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcards-hosting1
  namespace: traefik-external
spec:
  # Certificate will be valid for these domain names
  dnsNames:
  - domain1.com
  - '*.domain1.com'
  - domain2.com
  - '*.domain2.com'
  - domain3.com
  - '*.domain3.com'
  - domain4.com
  - '*.domain4.com'
  - domain5.com
  - '*.domain5.com'
  - domain6.com
  - mail.domain6.com
  - wp-manager.domain6.com
  - www.domain6.com
  - webmail.domain6.com
  - admin.domain6.com
  - autoconfig.domain6.com
  - autodiscover.domain6.com
  # Reference our issuer
  # As it's a ClusterIssuer, it can be in a different namespace
  issuerRef:
    kind: ClusterIssuer
    name: cert-manager-acme-issuer
  # Secret that will be created with our certificate and private keys
  secretName: wildcards-hosting1
---
apiVersion: v1
kind: Endpoints
metadata:
  name: websites-hosting1-svc
  namespace: traefik-external
subsets:
- addresses:
  - ip: <IP>
    nodeName: websites-hosting1-svc
  ports:
  - name: http
    port: 80
    protocol: TCP
  - name: https
    port: 443
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: websites-hosting1-svc
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: http
    port: 80
    targetPort: 80
  - name: https
    port: 443
    targetPort: 443
---
apiVersion: v1
kind: Endpoints
metadata:
  name: webmin-hosting1-svc
  namespace: traefik-external
subsets:
- addresses:
  - ip: <IP>
    nodeName: webmin1-hosting1-svc
  ports:
  - name: webmin
    port: 2087
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: webmin-hosting1-svc
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: webmin
    port: 443
    targetPort: 2087
---
apiVersion: v1
kind: Endpoints
metadata:
  name: usermin-hosting1-svc
  namespace: traefik-external
subsets:
- addresses:
  - ip: <IP>
    nodeName: usermin1-hosting1-svc
  ports:
  - name: usermin
    port: 2083
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: usermin-hosting1-svc
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: usermin
    port: 443
    targetPort: 2083
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-hosting1-https-redirect
  namespace: traefik-external
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-hosting1-secureheaders
  namespace: traefik-external
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
      #    customRequestHeaders:
      #      X-Forwarded-Proto: "https"
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-hosting1-transport
  namespace: traefik-external
spec:
  insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: traefik-hosting1-tlsoptions
  namespace: traefik-external
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-hosting1-websecure
  namespace: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`domain6.com`) || Hostregexp(`^(admin|webmail|mail|autodiscover|autoconfig|www|wp-manager)\.domain6\.com`) || Hostregexp(`.+\.domain1\.com`) || Hostregexp(`.+\.domain3\.com`) || Hostregexp(`.+\.domain2\.com`) || Hostregexp(`.+\.domain5\.com`) || Hostregexp(`.+\.domain4\.com`) || Host(`domain1.com`) || Host(`domain3.com`) || Host(`domain2.com`) || Host(`domain5.com`) || Host(`domain4.com`)
      services:
        - name: websites-hosting1-svc
          port: 443
          serversTransport: traefik-hosting1-transport
      middlewares:
        - name: traefik-hosting1-secureheaders
  tls:
    secretName: wildcards-hosting1
    options:
      name: traefik-hosting1-tlsoptions
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-hosting1-web
  namespace: traefik-external
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`domain6.com`) || Hostregexp(`^(admin|webmail|mail|autodiscover|autoconfig|www|wp-manager)\.domain6\.com`) || Hostregexp(`.+\.domain1\.com`) || Hostregexp(`.+\.domain3\.com`) || Hostregexp(`.+\.domain2\.com`) || Hostregexp(`.+\.domain5\.com`) || Hostregexp(`.+\.domain4\.com`) || Host(`domain1.com`) || Host(`domain3.com`) || Host(`domain2.com`) || Host(`domain5.com`) || Host(`domain4.com`)
      services:
        - name: websites-hosting1-svc
          port: 80
      middlewares:
        - name: traefik-hosting1-https-redirect
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-hosting1-webmin
  namespace: traefik-external
spec:
  entryPoints:
    - webmin
  routes:
    - kind: Rule
      match: Host(`domain6.com`) || Hostregexp(`^(admin|webmail|mail|autodiscover|autoconfig|www|wp-manager)\.domain6\.com`) || Hostregexp(`.+\.domain1\.com`) || Hostregexp(`.+\.domain3\.com`) || Hostregexp(`.+\.domain2\.com`) || Hostregexp(`.+\.domain5\.com`) || Hostregexp(`.+\.domain4\.com`) || Host(`domain1.com`) || Host(`domain3.com`) || Host(`domain2.com`) || Host(`domain5.com`) || Host(`domain4.com`)
      services:
        - name: webmin-hosting1-svc
          port: 443
          serversTransport: traefik-hosting1-transport
      middlewares:
        - name: traefik-hosting1-secureheaders
  tls:
    secretName: wildcards-hosting1
    options:
      name: traefik-hosting1-tlsoptions
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-hosting1-usermin
  namespace: traefik-external
spec:
  entryPoints:
    - usermin
  routes:
    - kind: Rule
      match: Host(`domain6.com`) || Hostregexp(`^(admin|webmail|mail|autodiscover|autoconfig|www|wp-manager)\.domain6\.com`) || Hostregexp(`.+\.domain1\.com`) || Hostregexp(`.+\.domain3\.com`) || Hostregexp(`.+\.domain2\.com`) || Hostregexp(`.+\.domain5\.com`) || Hostregexp(`.+\.domain4\.com`) || Host(`domain1.com`) || Host(`domain3.com`) || Host(`domain2.com`) || Host(`domain5.com`) || Host(`domain4.com`)
      services:
        - name: usermin-hosting1-svc
          port: 443
          serversTransport: traefik-hosting1-transport
      middlewares:
        - name: traefik-hosting1-secureheaders
  tls:
    secretName: wildcards-hosting1
    options:
      name: traefik-hosting1-tlsoptions
2

Also tried to avoid HostRegexp and separate the different domains to no avail:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-domain-com
  namespace: traefik-external
spec:
  # Certificate will be valid for these domain names
  dnsNames:
  - domain.com
  - '*.domain.com'
  # Reference our issuer
  # As it's a ClusterIssuer, it can be in a different namespace
  issuerRef:
    kind: ClusterIssuer
    name: cert-manager-acme-issuer
  # Secret that will be created with our certificate and private keys
  secretName: wildcard-domain-com
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-fateitalia-it-websecure
  namespace: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`www.domain.com`) || Host(`domain.com`)
      services:
        - name: websites-hosting1-svc
          port: 443
          serversTransport: traefik-hosting1-transport
      middlewares:
        - name: traefik-hosting1-secureheaders
  tls:
    secretName: wildcard-domain-com
    options:
      name: traefik-hosting1-tlsoptions
3

Ok, so I probably found out why everything changed in the morning (Europe/Rome):

apt history on the webserver:

Start-Date: 2025-07-17  06:36:05
Commandline: /usr/bin/unattended-upgrade
Upgrade: apache2-suexec-custom:amd64 (2.4.58-1ubuntu8.6, 2.4.58-1ubuntu8.7), apache2-data:amd64 (2.4.58-1ubuntu8.6, 2.4.58-1ubuntu8.7), apache2-bin:amd64 (2.4.58-1ubuntu8.6, 2.4.58-1ubuntu8.7), apache2-utils:amd64 (2.4.58-1ubuntu8.6, 2.4.58-1ubuntu8.7), apache2:amd64 (2.4.58-1ubuntu8.6, 2.4.58-1ubuntu8.7)
End-Date: 2025-07-17  06:36:09

So it's the webserver apache istance that throws 421 when Traefik is in front.

Anyone facing the same issue? I'm lost now, can't think to be able to debug anymore for the moment.

Is there some helpful guide on how to put Traefik in front of apache, to get some insight on the next debug steps?

Thank you very much.

4

Hi,

So other hosting platforms have the same problem, apache2-inducted (I do not use Plesk in this scanario, but the solution to disable the reverse-proxy works): https://talk.plesk.com/threads/421-misdirected-request.379923/

So actually not Traefik-related, waiting for the solution from apache2.

5

Hi,

Finally, actually solved by properly setting the serverName in the ServersTransport directive, so that the backend apache2 get the right SNI info to manage the session.

apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-fateitalia-transport
  namespace: traefik-external
spec:
  insecureSkipVerify: true
  serverName: "domain.com"

This is to be done for every proper virtualhost in the apache2 server if there are multiple websites with different domains and subdomains.

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.