TCP router gets F, http router gets A

Traefik Traefik v2 (latest)
, ,
1

I have a service that has these labels

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.${STACK}-app.rule=Host(`${STACK}.${DOMAIN}`)"
      - "traefik.http.routers.${STACK}-app.entrypoints=websecure"
      - "traefik.http.routers.${STACK}-app.tls.certresolver=myresolver"
      - "traefik.http.services.${STACK}-app.loadbalancer.server.port=3000"

when I start this stack, if I use SSL Server Test (Powered by Qualys SSL Labs) to validate, I get a big fat A

Screenshot from 2023-11-21 17-43-31
Screenshot from 2023-11-21 17-43-311047×509 30.7 KB

I now wanted to add a TCP port in the same server (express) for certain command/control

so I added the labels (to the same container)

      - "traefik.tcp.routers.${STACK}-app.rule=HostSNI(`${STACK}-socket.${DOMAIN}`)"
      - "traefik.tcp.routers.${STACK}-app.entrypoints=websecure"
      - "traefik.tcp.routers.${STACK}-app.tls.certresolver=myresolver"
      - "traefik.tcp.services.${STACK}-app.loadbalancer.server.port=42000"

so the idea is that I'd get 2 hosts stack.domain and stack-socket.domain

system starts, service starts. however, if I visit the ssl site again, I now get a big fat F for the stack-socket.domain host

Screenshot from 2023-11-21 20-32-17
Screenshot from 2023-11-21 20-32-17993×457 28.5 KB

confused why https is A while TCP is F

Any insights would be most welcome

2

You should use different router/service names in the labels for the different targets, not the same ${STACK}-app.

Is the F a result of the reverse proxy and TLS or might that be connected to the target service?

3

thanks. Have updated the service / router names to be unique for the target.

Same result though.

However, I did notice this

image
image1008×874 78.5 KB

which may imply that if I

a) turn off TLS1.2
b) remove the weak ciphers

may fix the problem

I think a) is achievable using the minTls setting
will have to look into b)

4

That can both be configured in a dynamic config file, loaded in static config via providers.file.

Every now and then you see it in the posts here.