Trying to replace HAProxy with Traefik v2.4 in front of Varnish.
HAProxy is doing TLS termination and forwarding traffic to Varnish using proxy protocol v2.
HAProxy config backend varnish server varnish 127.0.0.1:6083 send-proxy-v2
Trying to replicate this in Traefik v2.4 without luck.
I guess there is something wrong with the route config. Been trying different things with the router rules with no luck.
Also tried it inside http instead of tcp.
Traefik is running inside docker with network hosts. This explains localhost vs 127.0.0.1.
I've tried these rules with no luck:
rule: "HostSNI(example.com)"
rule: "Host(example.com)"
rule: "PathPrefix(/)"
One thing I wonder, should the router be placed inside tcp or http ?
As the browser talks http with Traefik it make sense to put the router inside http, and the backend inside tcp as Traefik talks to Varnish using proxy protocol (tcp).
It worked on my lab but my test environment was pretty poor. However, I was able to get 200 by sending a request directly to Traefik, then Traefik forwarded the request to Varnish and finally it hit my test application running behind Varnish.
Please let me know what are the results of your tests.
Thanks @jakubhajek. Got an expected respons from Varnish now.
However, next issue: As soon as tcp is added to the mix things break apart again. tls: {} is enough.
Thanks a lot for providing the details of your configuration.
From my side, I can say that I've spent some time trying to reproduce the issue and provide you a working solution. My stack is following:
incoming rq -> Traefik -> Varnish -> a web server with a static page.
I removed by purpose the proxy arguments and it works. Would you please try the config I suggested, you should get a valid response from the backend - in my case, it was just a simple web server with a static web page.
This last setup is the same as having a normal http router, which talks http with Varnish. This is working, but it not how things should be done. With this setup Traefik needs to pass information like client ip, http protocol used (http or https) etc via headers to Varnish.
It is what the proxy protocol solves.
See all the header_up statements used in this Caddy example you need to add to the mix so that the application behind Varnish can make correct redirections etc.
The fact that proxy protocol towards Varnish is working until tls is added, could it be a bug or missing feature in Traefik's handling of this?
HAProxy towards Varnish over proxy protocol is dead simple. Just use Varnish's provided port for proxy protocol (usually 6083 or 8443) and add send-proxy-v2.
backend varnish server varnish 127.0.0.1:6083 send-proxy-v2
btw, Caddy 2 does not (yet) support talking proxy protocol to backends
By default, Varnish accepts HTTP requests. We force Traefik to send requests to service using the PROXY protocol we need to update the Varnish configuration to accepst that communication. In order to do that we have to add the keyword PROXY on the port where Varnish is listening to.
So the arguments passed to the Varnish has to contain the following line:
Indeed!
Think the problem is http/https protocol confusion. me, Traefik, or both
Not mixing entrypoints in tcp routes seems to make a difference. This works like a charm in my test bench:
Nailed it, finally ! Problem was http/2 all along.
Traefik is telling the world I support http/2, but my Varnish was not.
Forcing curl into http1.1 revealed the problem: curl --http1.1 -v https://example.com worked !
After enabling http/2 in Varnish this finally worked.
The backend of Varnish (Apache 2.4) does not need to have http/2 enabled.
Hope this thread find someone else...
Thanks for your patience and for your willingness to use Traefik.
It was a good conversation, thanks for sharing all details concerning your implementation. Yesterday I started to create a repo with that use case, so I will update it later on by adding extra configuration.