TCP TLS server with non-TLS TCP router

I have an older application that has no TLS support that needs to make TLS TCP connections to a certain IP. I was hoping to use Traefik v2 for this. Can Traefik listen for TCP connections that don't use TLS, and then make a TLS connection to a backend service? Here's how I was envisioning the configuration:

[tcp]
  [tcp.routers]
    [tcp.routers.FrontendTCPRouter]
      entryPoints = ["EntryPoint0"]
      # Catch every request (only available rule for non-tls routers. See below.)
      rule = "HostSNI(`*`)"
      service = "BackendTCPService"
  [tcp.services]
    [tcp.services.BackendTCPService.loadBalancer]
       [[tcp.services.BackendTCPService.loadBalancer.servers]]
         address = "localhost:8050"
         tls = true
1 Like

looking for a similar solution! is it possible to have a TCP SSL/TLS Backend-service? or is this not supported yet?
Best Regards

I ended up not using Traefik to solve this. I used Stunnel. It's not Dockerized and the documentation is a little clunky, but I got it working.
https://www.stunnel.org

I managed to achieve this. My goal was to placing mqtt broker (rabbitmq) behind traefik, so that for single container I am exposing 3 endpoints https for management, mqtt for unencrypted TCP traffic and mqtts for encrypted TCP traffic.

part of traefik.toml:

[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"
  [entryPoints.mqtt]
    address = ":1883"
  [entryPoints.mqtts]
    address = ":8883"

and part of docker-compose.yml:

  rabbitmq:
    image: rabbitmq:management
    restart: always

    volumes:
      - ./config/rabbitmq/advanced.config:/etc/rabbitmq/advanced.config:ro
      - ./config/rabbitmq/enabled_plugins:/etc/rabbitmq/enabled_plugins:ro
      - rabbitmq_data:/var/lib/rabbitmq

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.router-broker-mgmt.rule=Host(`broker.${PROXY_BASE_DOMAIN}`)"
      - "traefik.http.routers.router-broker-mgmt.tls=true"
      - "traefik.http.routers.router-broker-mgmt.tls.certresolver=le"
      - "traefik.http.routers.router-broker-mgmt.entrypoints=https"
      - "traefik.http.routers.router-broker-mgmt.service=service-broker-mgmt"
      - "traefik.http.services.service-broker-mgmt.loadbalancer.server.port=15672"

      - "traefik.tcp.routers.router-broker-mqtts.rule=HostSNI(`broker.${PROXY_BASE_DOMAIN}`)"
      - "traefik.tcp.routers.router-broker-mqtts.tls=true"
      - "traefik.tcp.routers.router-broker-mqtts.tls.certresolver=le"
      - "traefik.tcp.routers.router-broker-mqtts.entrypoints=mqtts"
      - "traefik.tcp.routers.router-broker-mqtts.service=service-broker-mqtts"
      - "traefik.tcp.services.service-broker-mqtts.loadbalancer.server.port=1883"

      - "traefik.tcp.routers.router-broker-mqtt.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.router-broker-mqtt.entrypoints=mqtt"
      - "traefik.tcp.routers.router-broker-mqtt.service=service-broker-mqtt"
      - "traefik.tcp.services.service-broker-mqtt.loadbalancer.server.port=1883"

you have to play with converting labels into toml.

1 Like