TCP reverse proxy working for HTTPS but not HTTP

RooSoft · May 30, 2020, 12:06am

Trying to make a Traefik reverse proxy sending port 80 and 443 traffic to kubernetes on another server. Important to notice that HTTPS traffic must be passthrough and thus sent encrypted as is because kubernetes is already managing this.

part of traefik.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

example.toml

[tcp]
  [tcp.routers]
    [tcp.routers.k8sSecureRouter]
      rule = "HostSNI(`*`)"
      service = "k8sSecure"
      entryPoints = ["websecure"]
      [tcp.routers.k8sSecureRouter.tls]
        passthrough = true
    [tcp.routers.k8sRouter]
      rule = "Host(`*`)"
      service = "k8s"
      entryPoints = ["web"]

  [tcp.services]
    [tcp.services.k8s.loadBalancer]
       [[tcp.services.k8s.loadBalancer.servers]]
         address = "192.168.1.10:80"
    [tcp.services.k8sSecure.loadBalancer]
       [[tcp.services.k8sSecure.loadBalancer.servers]]
         address = "192.168.1.10:443"

HTTPS traffic works as expected, but HTTP gets an empty reply after some lag. Everything should be fine though, because calling the kubernetes server directly works perfectly with both protocols.

RooSoft · June 1, 2020, 3:04pm

Managed to make this work by moving k8sRouter in a different TOML file and using a http router instead of tcp.

Could it be that Traefik doesn't like having more than one router in any given TOML file?

Plaidstallion · June 1, 2020, 3:14pm

I was going to suggest that this looks like it should be an HTTP router but I'm not sure. I have also never worked with Kubernetes so I don't know if it applies here but I use yaml instead of toml and these are my entryPoints config inside traefik.yml:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: <domain>.com
            sans:
              - "*.<domain>.com"

Then in my docker-compose I have something like this under labels:

    labels:
      - "traefik.enable=true"
      - traefik.http.routers.<app>-secure.entrypoints=websecure
      - traefik.http.routers.<app>-secure.rule=Host(`<app>.$DOMAINNAME`)
      - traefik.http.routers.<app>-secure.middlewares=<whatever/chains>@file

Topic		Replies	Views
TCP reverse proxy pass through (nginx equivalent) Traefik v2 file , tcp	3	3194	January 31, 2022
TCP Routers not working in Kubernetes Traefik v2 kubernetes-crd	0	1014	October 24, 2019
TCP on Kubernetes Traefik v2 kubernetes-ingress	20	12876	September 18, 2022
Traefik serves traffic on port 80 over https Traefik v2 kubernetes-ingress	1	45	June 27, 2024
Http2 with http and tcp routers Traefik v2 tcp	2	809	December 28, 2023

TCP reverse proxy working for HTTPS but not HTTP

Related topics