TCP reverse proxy pass through (nginx equivalent)

Traefik Traefik v2
,
1

Hi,

I have a docker container running with the ip 192.168.49.2:8443. And I try to reach this from outside my server via traefik as my L4 reverse proxy.

I tested everything with nginx and it's as simple as that:

stream {
  server {
      listen <my_ip>:6443;
      proxy_pass 192.168.49.2:8443;
  }
}

Then curl https://<my_ip>:6443/api --insecure from another PC. Works.

I tried to create the exact thing with traefik, but I get an error message when curling "connection refused". My Config is

// static

entryPoints:
    kubernetes:
      address: ":6443"
...

// Dynamic

tcp:
  routers:
    minikube:
      rule: "HostSNI(`*`)"
      entryPoints:
        - "kubernetes"
      service: minikube
      tls:
        passthrough: true

  services:
    minikube:
      loadBalancer:
        servers:
          - address: 192.168.49.2:8443

So it listens on 6443, it's a L4 Proxy and tls is passthrough. Seems like the exact same thing to me.

I checked in the log for any error message (with DEBUG), but there are none. I also checked in the dashboard if the route and service is setup and everything seems fine.

I appreciate any help!

1 Like
2

I am in the same boat here! Looking for a solution for this as well.
Thanks!

3

Try port instead of address in the service and just specify the port (8443).
I know the doc says address Services - Traefik but the reference says port Docker - Traefik .

4

Actually I found a solution that is working for me.

On your traefik.yml file add the Dynamic confs below.

Add a new Entrypoint for your k8s api service and also the tcp routers like below.

In my case I have two Master Control planes which we'll load balance to.

In the end just make sure to point your dns k8sapi.example.com to your traefik ip address that will consume this entrypoint at port 6443.

# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    #  ---
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

  k8s-api:
    address: :6443

## Dynamic configuration

tcp:
  routers:
    to-k8s-api:
      entryPoints:
        - "k8s-api"
      rule: "HostSNI(`k8sapi.example.com`)"
      service: k8s-api-backend
      tls:
        passthrough: true
  services:
    k8s-api-backend:
      loadBalancer:
        servers:          
        - address: "k8s-master01.example.com:6443"
        - address: "k8s-master02.example.com:6443"

Also don't forget to expose the control plane ports on your docker compose.

    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # K8S apiserver
      - "6443:6443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
5

If you want a plain TCP router with HostSNI(`*`) without Traefik TLS handling, then don’t use tls in Traefik. The plain TCP traffic will be proxied (passed through) anyway.

Remove this line, as it has side effects. It will activate Traefik TLS. If no cert exists, Traefik will create and use a custom one, which the client will not trust.