Terminating TLS and Re-encrypt


Is it possible to have traefik to re-encrypt the tls after termination at traefik? I have a working mqtts where the TLS is terminated at traefik but the traffic to the server is not.

Yes, you can let Traefik terminate TLS and let it forward with TLS with the same or a different cert.

Thanks. How about TCP traffic like mqtt where the port is 8883? An example config would be highly appreciated. Thank you.

How do we configure this when using Traefik Hub api gateways or portals. Is it mandatory to have an ingress to handover the TLS or take a new TLS for ingress?

You probably need to open another post in the corresponding forum here for hub/portal.

Is it then possible to re-encrypt TCP traffic (non http)?

Yes, you can use loadbalancer.servers.url=https://... in a dynamic config file.

If the target has a public TLS cert it simply works, otherwise you need to use insecureskipverify (global or on the Traefik service) or import the custom cert chain.

That works if the endpoint is an https. What I am trying to do achieve is have traefik receive a MQTTS (tls enabled mqtt) and then re-encypt with another TLS cert before sending to the target.

The first part of decrypting TLS from the mqtts is done nicely by traefik but I have not clue what to do to enable re-encryption.

The Traefik TCP service documentation seems to completely miss a TLS part towards the target service.

If you just want to use Traefik to forward the TLS traffic and the MQTT client can live with a proprietary TLS cert from the MQTT server, then you can just do a plain TCP forward, where Traefik does not need or touch any TLS certs (untested):

# traefik.yml
    address: ":5678"
    filename: traefik-dynamic.yml
# traefik-dynamic.yml
      rule: "HostSNI(`*`)"
        - tcp
      service: tcp-service

          - address: ""

I found what's missing. For terminating TLS and re-encrypt, if you have a public signed cert in your backend service, you have to define a servers transport in Traefik config (map field type in YAML config) which sets a FQDN for the backend service that Traefik will define in the Host header on the requests. This definition can be in any of static config, dynamic config, or Kubernetes CRD.

Then you have to update your ingress route service (type: object) field to add a new serversTransport field (type: string) which points to the named servers transport you defined above, as the one to use for this service.

This will allow Traefik to send the host header to the pod with a FQDN that matches one of the subject alternative names on the certificate, and allow Traefik to re-encrypt communications with the back end service.