Strict SNI support for outgoing trafic in traefik v2.x.X

related to new ServersTransport available in 2.4.0(-rc1 for now) that allows TLS for outbound trafic,
it seems that SNI is not supported for outgoing trafic .I would expect the serversTransport to allow
to set a SNI host (setting Host header is not sufficient for strict SNI checking it seems)

Background:
I have a traefik 2.4 in an EKS (aws k8s) that forwards to services hosted in another k8s (+istio) on port 443. I use the k8s crd to create dynamic config (ExternalName to define host to reach eg myhost.com)
the route 53 I created (eg. myhost.com) leads to the Istio ingress, and then a GAteway checks host myvirtualservice.myhost.com for routing. The certficates are specific to myvirtualservice.myhost.com

Observed:
the connection is reset by envoy in the backup.

Debug:
running openssl from a pod near Traefik leads to the same result if the -serverName is omited

Is there something I do wrong or I missed in the config? Should this be a feature/bug to submit to traefik team ?

Hello @benoitg31 ,

Could you share a minimal reproducible case or at least your configuration with the related logs?

Did you check the documentation, you may need to define a servername, like:

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
    serverName: "test"

Indeed I was setting a wrong serverName ! I changed the servername value to the name in the certificate
Good spot, thanks.
The doc says :

[1] | serverName | ServerName used to contact the server.

maybe it could specify SNI , because it wasn't obvious from my perspective

As developers, we may be too used to technical notations (the terminology comes from golang)

It could be a good idea to improve the documentation, feel free to open an issue/PR on our GitHub repository and don't hesitate to ask for help if needed

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.