SNI problems proxying to websites

urbaman · October 8, 2024, 1:22pm

Hi,

Getting: "The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection." when proxying to some websites.

Here's the yamls:

apiVersion: v1
kind: Endpoints
metadata:
  name: virtualmin-service
  labels:
    app: virtualmin-service
  namespace: traefik-external
subsets:
- addresses:
  - ip: <virtualmin-ip>
    nodeName: virtualmin-service
  ports:
  - name: virtualmin
    port: 443
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: virtualmin-service
  labels:
    app: virtualmin-service
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: virtualmin
    port: 443
    targetPort: 443
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-virtualmin-https-redirect
  namespace: traefik-external
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-virtualmin-security
  namespace: traefik-external
spec:
  headers:
    hostsProxyHeaders:
      - "X-Forwarded-Host"
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-virtualmin-transport
  namespace: traefik-external
spec:
  serverName: traefik
  insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: traefik-virtualmin-tlsoptions
  namespace: traefik-external
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: false
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: virtualmin-domain-com
  namespace: traefik-external
spec:
  # Certificate will be valid for these domain names
  dnsNames:
  - domain.com
  - www.domain.com
  # Reference our issuer
  # As it's a ClusterIssuer, it can be in a different namespace
  issuerRef:
    kind: ClusterIssuer
    name: cert-manager-acme-issuer
  # Secret that will be created with our certificate and private keys
  secretName: virtualmin-domain-com
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-virtualmin-domain-websecure
  namespace: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`domain.com`)||Host(`www.domain.com`)
      services:
        - name: virtualmin-service
          port: 443
          serversTransport: traefik-virtualmin-transport
      middlewares:
        - name: traefik-virtualmin-security
  tls:
    secretName: virtualmin-domain-com
    options:
      name: traefik-virtualmin-tlsoptions
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-virtualmin-domain-web
  namespace: traefik-external
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`domain.com`)||Host(`www.domain.com`)
      services:
        - name: virtualmin-service
          port: 443
      middlewares:
        - name: traefik-virtualmin-https-redirect

and the logs:

<ClientIP> - - [08/Oct/2024:13:11:27 +0000] "GET /favicon.ico HTTP/2.0" 421 322 "-" "-" 1551 "traefik-external-traefik-virtualmin-domain1-websecure-41fb0880b68c06c04005@kubernetescrd" "https://<websiteIP>:443" 0ms
<ClientIP> - - [08/Oct/2024:13:11:30 +0000] "GET / HTTP/2.0" 421 322 "-" "-" 1552 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 0ms
<ClientIP> - - [08/Oct/2024:13:11:30 +0000] "GET / HTTP/2.0" 421 322 "-" "-" 1553 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 1ms
<ClientIP> - - [08/Oct/2024:13:11:31 +0000] "HEAD / HTTP/2.0" 421 0 "-" "-" 1554 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 0ms
<ClientIP> - - [08/Oct/2024:13:11:31 +0000] "GET / HTTP/2.0" 421 322 "-" "-" 1555 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 1ms
<ClientIP> - - [08/Oct/2024:13:11:31 +0000] "GET / HTTP/2.0" 421 322 "-" "-" 1556 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 1ms
<ClientIP> - - [08/Oct/2024:13:11:31 +0000] "GET /favicon.ico HTTP/2.0" 421 322 "-" "-" 1557 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 0ms
<ClientIP> - - [08/Oct/2024:13:11:31 +0000] "GET /favicon.ico HTTP/2.0" 421 322 "-" "-" 1558 "traefik-external-traefik-virtualmin-domain2-websecure-d06aa2ae734bcb414f2b@kubernetescrd" "https://<websiteIP>:443" 0ms

Is there something I should do on traefik or on the downstream apache server?

Thank you.

urbaman · October 8, 2024, 3:20pm

Actually, going to the 2083 or 2087 ports works, not 443.

apiVersion: v1
kind: Endpoints
metadata:
  name: webmin-service
  labels:
    app: webmin-service
  namespace: traefik-external
subsets:
- addresses:
  - ip: <webmin-ip>
    nodeName: vebmin-service
  ports:
  - name: webmin
    port: 2087
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: webmin-service
  labels:
    app: webmin-service
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: webmin
    port: 443
    targetPort: 2087
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-webmin-domain-websecure
  namespace: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`domain.com`)||Host(`www.domain.com`)
      services:
        - name: webmin-service
          port: 443
          serversTransport: traefik-virtualmin-transport
      middlewares:
        - name: traefik-virtualmin-security
  tls:
    secretName: webmin-domain-com
    options:
      name: traefik-virtualmin-tlsoptions

urbaman · October 8, 2024, 6:54pm

Also, I see it's working on some subdomains (app installed dolibarr) while not for others (app installed wordpress), so probably there's something in the app (htaccess?) to setup?

urbaman · October 8, 2024, 8:31pm

Ok, solved.

Do not know exactly if that's the real solution, but the only real change in the working implementation is creating a single certificate and ingressroutes with all of the domains, instead of doing different cert/ig per domain.

system · October 11, 2024, 8:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need Help with redirection to Webserver with SNI on local network Traefik v2 file	1	1606	September 6, 2020
Change backend request hostname different with frontend Traefik v2 docker , middleware	0	1515	February 17, 2020
Strict SNI support for outgoing trafic in traefik v2.x.X Traefik v2 kubernetes-crd , kubernetes-ingress	4	737	January 11, 2021
404 Help, please Traefik v2 kubernetes-crd	4	3161	October 28, 2020
Error: TLS options difference: SNI:default Traefik v3 (latest) kubernetes-crd , kubernetes-ingress	0	142	July 30, 2024

SNI problems proxying to websites

Related topics