Strict SNI support for outgoing trafic in traefik v2.x.X

related to new ServersTransport available in 2.4.0(-rc1 for now) that allows TLS for outbound trafic,
it seems that SNI is not supported for outgoing trafic .I would expect the serversTransport to allow
to set a SNI host (setting Host header is not sufficient for strict SNI checking it seems)

I have a traefik 2.4 in an EKS (aws k8s) that forwards to services hosted in another k8s (+istio) on port 443. I use the k8s crd to create dynamic config (ExternalName to define host to reach eg
the route 53 I created (eg. leads to the Istio ingress, and then a GAteway checks host for routing. The certficates are specific to

the connection is reset by envoy in the backup.

running openssl from a pod near Traefik leads to the same result if the -serverName is omited

Is there something I do wrong or I missed in the config? Should this be a feature/bug to submit to traefik team ?

Hello @benoitg31 ,

Could you share a minimal reproducible case or at least your configuration with the related logs?

Did you check the documentation, you may need to define a servername, like:

kind: ServersTransport
  name: mytransport
  namespace: default

    serverName: "test"
1 Like

Indeed I was setting a wrong serverName ! I changed the servername value to the name in the certificate
Good spot, thanks.
The doc says :

[1] | serverName | ServerName used to contact the server.

maybe it could specify SNI , because it wasn't obvious from my perspective

As developers, we may be too used to technical notations (the terminology comes from golang) :stuck_out_tongue:

It could be a good idea to improve the documentation, feel free to open an issue/PR on our GitHub repository and don't hesitate to ask for help if needed :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.