TCP Reverse proxy and toml configuration

I tried adding TCP routers and proxy in a toml file like below. But the TCP proxy pass though not reaching to end TCP service.

[tcp.routers]
[tcp.routers.Router-1]
# won't listen to entry point web
entryPoints = ["tcpep"]
rule = "HostSNI(127.0.0.1)"
tls = "false"
service = "my-service"
#[tcp.routers.Router-1.tls]
#passthrough = true
#certResolver = "lets-encrypt"

[tcp.services]
[tcp.services.my-service.loadBalancer]
terminationDelay = 100
[tcp.services.my-service.loadBalancer.proxyProtocol]
version = 1
[[tcp.services.my-service.loadBalancer.servers]]
address = "172.18.0.1:8443"

Please help me out that is there any changes required.

Seen below errors in docker logs when trying telnet to 127.0.0.1:1234
time="2022-01-11T10:10:27Z" level=debug msg="Handling connection from 172.19.0.1:45538"
time="2022-01-11T10:10:27Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45910: use of closed network connection"
time="2022-01-11T10:10:28Z" level=debug msg="Handling connection from 172.19.0.1:45550"
time="2022-01-11T10:10:29Z" level=debug msg="Handling connection from 172.19.0.1:45564"
time="2022-01-11T10:10:29Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45936: use of closed network connection"
time="2022-01-11T10:10:30Z" level=debug msg="Handling connection from 172.19.0.1:45572"
time="2022-01-11T10:10:30Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45944: use of closed network connection"
time="2022-01-11T10:10:31Z" level=debug msg="Handling connection from 172.19.0.1:45580"
time="2022-01-11T10:10:31Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45952: use of closed network connection"
time="2022-01-11T10:10:31Z" level=debug msg="Authentication succeeded" middlewareName=simpleAuth@file middlewareType=BasicAuth
time="2022-01-11T10:10:32Z" level=debug msg="Handling connection from 172.19.0.1:45590"
time="2022-01-11T10:10:32Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45962: use of closed network connection"
time="2022-01-11T10:10:32Z" level=debug msg="Handling connection from 172.19.0.1:45598"
time="2022-01-11T10:10:32Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45970: use of closed network connection"
time="2022-01-11T10:10:33Z" level=debug msg="Handling connection from 172.19.0.1:45608"
time="2022-01-11T10:10:33Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:45980: use of closed network connection"


time="2022-01-11T10:13:01Z" level=debug msg="http: TLS handshake error from 172.19.0.1:51694: remote error: tls: bad certificate"
time="2022-01-11T10:13:06Z" level=debug msg="Serving default certificate for request: "traefik.linuxtechi.local""
time="2022-01-11T10:13:06Z" level=debug msg="http: TLS handshake error from 172.19.0.1:51712: remote error: tls: bad certificate"
time="2022-01-11T10:13:06Z" level=debug msg="Serving default certificate for request: "traefik.linuxtechi.local""
time="2022-01-11T10:13:06Z" level=debug msg="http: TLS handshake error from 172.19.0.1:51716: remote error: tls: bad certificate"

Hello @pavan.2990 and thanks for your interest in Traefik,

As explained in the documentation, when using a TCP router without TLS, the HostSNI(`*`) rule must be used (only TLS routers will be able to specify a domain name with that rule). Therefore, your TCP configuration should looks like the following:

[tcp.routers]
[tcp.routers.Router-1]
 entryPoints = ["tcpep"]
 rule = "HostSNI(`*`)"
 tls = "false"
 service = "my-service"

[tcp.services]
[tcp.services.my-service.loadBalancer]
 terminationDelay = 100

[tcp.services.my-service.loadBalancer.proxyProtocol]
 version = 1

[[tcp.services.my-service.loadBalancer.servers]]
  address = "172.18.0.1:8443"

Hope this helps!

1 Like

I have tried changing to HostSNI(*) but still I had problem
Getting like below error in traefik logs
time="2022-01-12T13:22:23Z" level=debug msg="Handling connection from 172.19.0.1:46254"
time="2022-01-12T13:22:23Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.2:46626: use of closed network connection"

Could you please help me with what would be the problem here.

Are you sure that the backend is reachable from Traefik?
Could you provide your static configuration and the debug logs from the beginning?

The pasted errors make me think that Traefik is not able to open a TCP connection with the backend.

I am sure that the backend is reachable and able to telnet to it.
I am attaching the complete content I am using.
Please check and advise on it.
+++++++++++++++++
[http.middlewares.simpleAuth.basicAuth]
users = [
"admin:$apr1$JlR4CsB9$0mWzxj8ZtkfYV90P44PUu1"
]

[http.routers.api]
rule = "Host(traefik.linuxtechi.local)"
entrypoints = ["websecure"]
middlewares = ["simpleAuth"]
service = "api@internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"

[tcp.routers]
[tcp.routers.Router-1]
# won't listen to entry point web
entryPoints = ["tcpep"]
rule = "HostSNI(*)"
tls = "false"
service = "my-service"
#[tcp.routers.Router-1.tls]
#passthrough = true
#certResolver = "lets-encrypt"

[tcp.services]
[tcp.services.my-service.loadBalancer]
terminationDelay = 100
[tcp.services.my-service.loadBalancer.proxyProtocol]
version = 1
[[tcp.services.my-service.loadBalancer.servers]]
address = "172.18.0.1:8443"
+++++++++++++++++
[log]
level = "DEBUG"

[ServersTransport]
InsecureSkipVerify = true
#passHostHeader = true

[entryPoints]
[entryPoints.web]
address = ":800"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":4430"
[entryPoints.tcpep]
address = ":1234"

[api]
dashboard = true
insecure = true
[certificatesResolvers.lets-encrypt.acme]
email = "info@linuxtechi.local"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]

[providers.docker]
watch = true
network = "web"

[providers.file]
filename = "traefik_dynamic_tcp_lb.toml"
+++++++++++++++++
docker startup script
docker run -d
-v /var/run/docker.sock:/var/run/docker.sock
-v $PWD/traefik.toml:/traefik.toml
-v $PWD/traefik_secure.toml:/traefik_secure.toml
-v $PWD/traefik_dynamic_tcp_lb.toml:/traefik_dynamic_tcp_lb.toml
-v $PWD/traefik_dynamic_tcp_app_lb.toml:/traefik_dynamic_tcp_app_lb.toml
-v $PWD/acme.json:/acme.json
-p 800:800
-p 4430:4430
-p 1234:1234
--network web
--name traefik
traefik:v2.4
+++++++++++++++++

Is the backend also in the web network?
Is the backend handling proxy protocol properly?

Every thing like traefik dashboard and backend runs in my local environment only
Any way how to get confirmation on backend is in the web network.
Please find the attached traefik dashboard screen shots.


Now I am running traefik in a docker container.
Shall we run it directly like installing a package.

Running it inside a docker container is fine, if the backend is reachable from the docker container (inside the same docker network).

What is your backend? Is it accepting plain TCP connections (without TLS)?

I made below changes but still redirection is not working from traefik to my backend

  1. Backend server and traefik running in same network now
  2. Backend server is changed to accept plain connections

I am not understanding what is the problem with connection redirection from traefik to backend server.

Below is some logs observed from traefik whether those are related to TCP connections might be
time="2022-01-17T07:09:02Z" level=debug msg="Handling connection from 172.18.0.1:54578"
time="2022-01-17T07:09:02Z" level=debug msg="Error while setting deadline: set tcp 172.18.0.14:59766: use of closed network connection"

time="2022-01-17T07:16:10Z" level=debug msg="Handling connection from 172.18.0.1:56770"
time="2022-01-17T07:16:11Z" level=debug msg="Serving default certificate for request: "traefik.linuxtechi.local""

Please check once and let me know any thing wrong here