Support for ALPN(xmpp-client) and ALPN(xmpp-server)

Hi,
Support for ALPN has been added in PR #8913. However, it does not include ALPN types 'xmpp-client' and 'xmpp-server'. It has been requested before and my understanding was that it has also been implemented already. However, upon testing, I came to the conclusion that it does not work yet. Here are all the ALPN protocols including 'xmpp-client' and 'xmpp-server'

Traefik tcp router/service config:

tcp:
  routers:
    xmpps-client:
      entryPoints:
        - websecure
        - xmpp-client-dtls
      service: xmpps-client-ejabberd
      rule: "HostSNI(`example.com`) && ALPN(`xmpp-client`)"
      tls:
        options: default
        passthrough: true
    xmpps-server:
      entryPoints:
        - xmpps-server
        - websecure
      service: xmpps-server-ejabberd
      rule: "HostSNI(`example.com`) && ALPN(`xmpp-server`)"
      tls:
        options: default
        passthrough: true

  services:
    xmpps-client-ejabberd:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: 10.1.4.100:5223
    xmpps-server-ejabberd:
      loadBalancer:
        proxyProtocol:
          version: 2
        servers:
          - address: 10.1.4.100:5270

tls:
  options:
    default:
      alpnProtocols:
        - xmpp-client
        - xmpp-server
        - http/1.1
        - h2

Traefik log shows:

level=debug msg="http: TLS handshake error from X.X.X.X:57750: tls: client requested unsupported application protocols ([xmpp-client])"
level=debug msg="http: TLS handshake error from X.X.X.X:57760: tls: client requested unsupported application protocols ([xmpp-client])"

What do you want to achieve? Should Traefik create the certs with LetsEncrypt or should Traefik just pass the encrypted requests to the service?

When Traefik creates the certs with LE you should probably not use passthrough: true because where should your target service get the certs from to decrypt the data?

If only your target service has the certs, then you need to use tcp router and service and don't enable TLS, because Traefik doesn't have the cert. Then you can only use HostSNI(`*`).

ALPN() should be working since Traefik v2.9. Not sure about alpnProtocols. The docs only show alpnProtocols = ["http/1.1", "h2"].

I want to use ALPN(xmpp-client) and ALPN(xmpp-server) as to route the correct traffic to the correct container (xmpp server container). As these ALPN protocols are not supported, I can't multiplex on 443 main domain. It has nothing to do with letsencrypt certificate requests. Certificates are manually loaded into traefik and also for the service (xmpp server). As described here and here, the server should set hostsni and ALPN to correctly use xmpp over tls (443).

I would open an issue regarding the alpnProtocols at Traefik Github, ask how they can be supported/added.

@bluepuma77
I opened an 'issue' ticket to request ALPN support for xmpp protocol. This is the ticket.

Today someone opened a thread where ALPN() seems to work, see here.