TCP reverse proxy working for HTTPS but not HTTP

RooSoft · May 30, 2020, 12:06am

Trying to make a Traefik reverse proxy sending port 80 and 443 traffic to kubernetes on another server. Important to notice that HTTPS traffic must be passthrough and thus sent encrypted as is because kubernetes is already managing this.

part of traefik.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

example.toml

[tcp]
  [tcp.routers]
    [tcp.routers.k8sSecureRouter]
      rule = "HostSNI(`*`)"
      service = "k8sSecure"
      entryPoints = ["websecure"]
      [tcp.routers.k8sSecureRouter.tls]
        passthrough = true
    [tcp.routers.k8sRouter]
      rule = "Host(`*`)"
      service = "k8s"
      entryPoints = ["web"]

  [tcp.services]
    [tcp.services.k8s.loadBalancer]
       [[tcp.services.k8s.loadBalancer.servers]]
         address = "192.168.1.10:80"
    [tcp.services.k8sSecure.loadBalancer]
       [[tcp.services.k8sSecure.loadBalancer.servers]]
         address = "192.168.1.10:443"

HTTPS traffic works as expected, but HTTP gets an empty reply after some lag. Everything should be fine though, because calling the kubernetes server directly works perfectly with both protocols.

RooSoft · June 1, 2020, 3:04pm

Managed to make this work by moving k8sRouter in a different TOML file and using a http router instead of tcp.

Could it be that Traefik doesn't like having more than one router in any given TOML file?

Plaidstallion · June 1, 2020, 3:14pm

I was going to suggest that this looks like it should be an HTTP router but I'm not sure. I have also never worked with Kubernetes so I don't know if it applies here but I use yaml instead of toml and these are my entryPoints config inside traefik.yml:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: <domain>.com
            sans:
              - "*.<domain>.com"

Then in my docker-compose I have something like this under labels:

    labels:
      - "traefik.enable=true"
      - traefik.http.routers.<app>-secure.entrypoints=websecure
      - traefik.http.routers.<app>-secure.rule=Host(`<app>.$DOMAINNAME`)
      - traefik.http.routers.<app>-secure.middlewares=<whatever/chains>@file

Topic		Replies	Views
HTTP to HTTPs redirect not working Traefik v2 (latest) file , middleware	1	66	March 20, 2024
Route TCP to an SFTP server Traefik v2 (latest) tcp	3	952	July 1, 2023
Http redirect in K8s Traefik v1 kubernetes-ingress	10	1527	March 23, 2021
Traefik Routers - SSL Redirect + Port 80 for specific Sites Traefik v2 (latest) docker , middleware	2	1924	May 22, 2022
HTTP to HTTPS redirect does not enforce the client to create a new connection Traefik v2 (latest) kubernetes-ingress , cli	3	903	July 21, 2022

TCP reverse proxy working for HTTPS but not HTTP

Related Topics