TCP TLS server with non-TLS TCP router

bmeneg · June 9, 2023, 3:42pm

Ok, that's interesting: when using the wildcard '*' it works just fine with no TLS options at all, but when using an explicit HostSNI Traefik complains about the lack of TLS option. For instance (using file provider):

tcp:
  routers:
    system-db:
      entrypoints:
        - "postgres"
      rule: "HostSNI(`system-db.example.com`)"
      service: "system-db"
      tls: {}
    gnucash-db:
      entrypoints:
        - "postgres"
      rule: "HostSNI(`*`)"
      service: "gnucash-db"

  services:
    system-db:
      loadBalancer:
        servers:
          - address: "10.0.0.33:8086"
    gnucash-db:
      loadBalancer:
        servers:
          - address: "10.0.0.33:8085"

The above just works and Traefik's monitor dashboard correctly states the first route (system-db) has TLS enabled while the second (gnucash-db) is non-TLS. However, if I change the second to use "HostSNI(gnucash-db.example.com)", instead of the wildcard, I get the following error:

invalid rule: "HostSNI(gnucash-db.example.com)" , has HostSNI matcher, but no TLS on router

Why is TLS enforced in such cases?

Topic		Replies	Views
Configuration of non http port without TLS Traefik v2 docker , tcp	4	7371	May 14, 2020
Why does TCP router try to perform SSL handshake even if TLS is set to false? Traefik v2 docker-swarm , tcp	8	970	May 24, 2023
HTTPS and TLS from one container Traefik v2 docker , tcp	1	1219	May 11, 2020
TLS passthrough, no SNI Traefik v3 (latest) docker , file	3	1047	August 22, 2024
Traefik uses HTTP router instead of the TCP one Traefik v2 tcp	5	1454	May 30, 2023

TCP TLS server with non-TLS TCP router

Related topics