Hi,
I split the information in two sections: the former is for the working rule catch-all HostSNI('*'); the latter for a not working rule HostSNI('https://172.23.17.226:443') but believe me other combination produce the same output.
The command I use is a simple CLI "curl" from the host running the swarm with my Apache server.
//////////////////////// Rule HostSNI('*') ////////////////////////////
File traefik.log:
...
{"entryPointName":"web-secured","level":"debug","msg":"Creating TCP server 0 at 172.0.10.34:443","routerName":"apache_server@docker","serverName":0,"serviceName":"apache_server","time":"2020-11-06T14
{"entryPointName":"web-secured","level":"debug","msg":"Adding route * on TCP","routerName":"apache_server@docker","time":"2020-11-06T14:50:37Z"}
...
api/rawdata:
{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(/api
)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(/
)","priority":2147483645,"status":"enabled","using":["traefik"]},"grafana@docker":{"entryPoints":["web"],"service":"grafana","rule":"Host(traefik.grafana.com
)","status":"enabled","using":["web"]},"kibana@docker":{"entryPoints":["web"],"service":"kibana","rule":"Host(traefik.kibana.com
)","status":"enabled","using":["web"]},"portainer@docker":{"entryPoints":["portainer"],"service":"portainer","rule":"Host(traefik.portainer.com
)","status":"enabled","using":["portainer"]},"prometheus@docker":{"entryPoints":["web"],"service":"prometheus","rule":"Host(traefik.prometheus.com
)","status":"enabled","using":["web"]},"prometheus@internal":{"entryPoints":["traefik"],"service":"prometheus@internal","rule":"PathPrefix(/metrics
)","priority":2147483647,"status":"enabled","using":["traefik"]},"traefik-traefik@docker":{"entryPoints":["kibana","portainer","web","web-secured"],"service":"dummy-svc","rule":"Host(traefik-traefik
)","status":"enabled","using":["kibana","portainer","web","web-secured"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"dummy-svc@docker":{"loadBalancer":{"servers":[{"url":"http://10.0.0.9:9999"},{"url":"http://172.0.10.13:9999"},{"url":"http://10.0.1.5:9999"}],"passHostHeader":true},"status":"enabled","usedBy":["traefik-traefik@docker"],"serverStatus":{"http://10.0.0.9:9999":"UP","http://10.0.1.5:9999":"UP","http://172.0.10.13:9999":"UP"}},"grafana@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.42:3000"}],"passHostHeader":true},"status":"enabled","usedBy":["grafana@docker"],"serverStatus":{"http://172.0.10.42:3000":"UP"}},"kibana@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.40:5601"}],"passHostHeader":true},"status":"enabled","usedBy":["kibana@docker"],"serverStatus":{"http://172.0.10.40:5601":"UP"}},"noop@internal":{"status":"enabled"},"portainer@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.24:9000"}],"passHostHeader":true},"status":"enabled","usedBy":["portainer@docker"],"serverStatus":{"http://172.0.10.24:9000":"UP"}},"prometheus@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.38:9090"}],"passHostHeader":true},"status":"enabled","usedBy":["prometheus@docker"],"serverStatus":{"http://172.0.10.38:9090":"UP"}},"prometheus@internal":{"status":"enabled","usedBy":["prometheus@internal"]}},"tcpRouters":{"apache_server@docker":{"entryPoints":["web-secured"],"service":"apache_server","rule":"HostSNI(*
)","tls":{"passthrough":true},"status":"enabled","using":["web-secured"]}},"tcpServices":{"apache_server@docker":{"loadBalancer":{"terminationDelay":100,"servers":[{"address":"172.0.10.34:443"}]},"status":"enabled","usedBy":["apache_server@docker"]}}}
curl command client Side (172.23.17.226):
[root@my docker-traefik-prometheus]# curl -k -v https://172.23.17.226:443
- About to connect() to 172.23.17.226 port 443 (#0)
- Trying 172.23.17.226...
- Connected to 172.23.17.226 (172.23.17.226) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- skipping SSL peer certificate verification
- SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate:
-
subject: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
-
start date: Apr 20 10:35:39 2020 GMT
-
expire date: Apr 20 10:35:39 2021 GMT
-
common name: b89efdb12d33
-
issuer: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.23.17.226
Accept: /
< HTTP/1.1 302 Found
< Date: Fri, 06 Nov 2020 14:44:03 GMT
< Server: Apache/2.4.43 (Unix)
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-Powered-By: PHP/5.6.40
< Set-Cookie: PHPSESSID=fd20fkbesc37gqfkbosqkh4t50; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Location: https://172.23.17.226/authentication/login
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
- Connection #0 to host 172.23.17.226 left intact
[root@my docker-traefik-prometheus]# curl -k -v https://172.23.17.226/authentication/login:443
- About to connect() to 172.23.17.226 port 443 (#0)
- Trying 172.23.17.226...
- Connected to 172.23.17.226 (172.23.17.226) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- skipping SSL peer certificate verification
- SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate:
-
subject: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
-
start date: Apr 20 10:35:39 2020 GMT
-
expire date: Apr 20 10:35:39 2021 GMT
-
common name: b89efdb12d33
-
issuer: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
GET /authentication/login:443 HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.23.17.226
Accept: /
< HTTP/1.1 302 Found
< Date: Fri, 06 Nov 2020 14:44:54 GMT
< Server: Apache/2.4.43 (Unix)
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-Powered-By: PHP/5.6.40
< Set-Cookie: PHPSESSID=6jgqmfebjjd4g2ferphvdoqe25; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Location: https://172.23.17.226/authentication/login
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
- Connection #0 to host 172.23.17.226 left intact
tcpdump Apache server Side:
14:44:54.125042 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [S.], cksum 0x6c5e (incorrect -> 0x6a92), seq 1167419855, ack 1605348140, win 27960, options [mss 1410,sackOK,TS val 5185789 ecr 5150919,nop,wscale 7], length 0
14:44:54.125513 IP (tos 0x0, ttl 64, id 13293, offset 0, flags [DF], proto TCP (6), length 52)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [.], cksum 0x0587 (correct), seq 1, ack 1, win 221, options [nop,nop,TS val 5150920 ecr 5185789], length 0
14:44:54.125777 IP (tos 0x0, ttl 64, id 41459, offset 0, flags [DF], proto UDP (17), length 70)
localhost.52971 > 127.0.0.11.34439: [bad udp cksum 0xfe4f -> 0x1192!] UDP, length 42
14:44:54.163110 IP (tos 0x0, ttl 64, id 18642, offset 0, flags [DF], proto TCP (6), length 1446)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [P.], cksum 0x71c8 (incorrect -> 0x9c00), seq 1:1395, ack 174, win 227, options [nop,nop,TS val 5185827 ecr 5150923], length 1394
14:44:54.163746 IP (tos 0x0, ttl 64, id 13295, offset 0, flags [DF], proto TCP (6), length 52)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [.], cksum 0xff05 (correct), seq 174, ack 1395, win 243, options [nop,nop,TS val 5150958 ecr 5185827], length 0
14:44:54.171930 IP (tos 0x0, ttl 64, id 13296, offset 0, flags [DF], proto TCP (6), length 145)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [P.], cksum 0x26d5 (correct), seq 174:267, ack 1395, win 243, options [nop,nop,TS val 5150966 ecr 5185827], length 93
14:44:54.179692 IP (tos 0x0, ttl 64, id 18643, offset 0, flags [DF], proto TCP (6), length 103)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [P.], cksum 0x6c89 (incorrect -> 0xba16), seq 1395:1446, ack 267, win 227, options [nop,nop,TS val 5185844 ecr 5150966], length 51
14:44:54.202122 IP (tos 0x0, ttl 64, id 13297, offset 0, flags [DF], proto TCP (6), length 182)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [P.], cksum 0xe0f6 (correct), seq 267:397, ack 1446, win 243, options [nop,nop,TS val 5150997 ecr 5185844], length 130
14:44:54.241547 IP (tos 0x0, ttl 64, id 18644, offset 0, flags [DF], proto TCP (6), length 52)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [.], cksum 0x6c56 (incorrect -> 0xfd84), seq 1446, ack 397, win 236, options [nop,nop,TS val 5185906 ecr 5150997], length 0
14:44:54.683793 IP (tos 0x0, ttl 64, id 18645, offset 0, flags [DF], proto TCP (6), length 633)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [P.], cksum 0x6e9b (incorrect -> 0x0ac2), seq 1446:2027, ack 397, win 236, options [nop,nop,TS val 5186348 ecr 5150997], length 581
14:44:54.688351 IP (tos 0x0, ttl 64, id 13298, offset 0, flags [DF], proto TCP (6), length 83)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [P.], cksum 0x0f9b (correct), seq 397:428, ack 2027, win 264, options [nop,nop,TS val 5151483 ecr 5186348], length 31
14:44:54.688472 IP (tos 0x0, ttl 64, id 18646, offset 0, flags [DF], proto TCP (6), length 52)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [.], cksum 0x6c56 (incorrect -> 0xf77b), seq 2027, ack 428, win 236, options [nop,nop,TS val 5186353 ecr 5151483], length 0
14:44:54.688498 IP (tos 0x0, ttl 64, id 13299, offset 0, flags [DF], proto TCP (6), length 52)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [F.], cksum 0xf763 (correct), seq 428, ack 2027, win 264, options [nop,nop,TS val 5151483 ecr 5186348], length 0
14:44:54.691004 IP (tos 0x0, ttl 64, id 18647, offset 0, flags [DF], proto TCP (6), length 83)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [P.], cksum 0x6c75 (incorrect -> 0x17c8), seq 2027:2058, ack 429, win 236, options [nop,nop,TS val 5186355 ecr 5151483], length 31
14:44:54.691220 IP (tos 0x0, ttl 64, id 18648, offset 0, flags [DF], proto TCP (6), length 52)
424087a53a03.443 > traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298: Flags [F.], cksum 0x6c56 (incorrect -> 0xf758), seq 2058, ack 429, win 236, options [nop,nop,TS val 5186355 ecr 5151483], length 0
14:44:54.691663 IP (tos 0x0, ttl 64, id 13300, offset 0, flags [DF], proto TCP (6), length 52)
traefik_traefik.wi8z2041jn4venzsdgjfeivnd.bcww66bzc64vnh7shla2zy8lz.mcs_overlay_network.36298 > 424087a53a03.443: Flags [.], cksum 0xf739 (correct), seq 429, ack 2059, win 264, options [nop,nop,TS val 5151486 ecr 5186355], length 0
//////////////////////// Rule HostSNI('https://172.23.17.226:443') ////////////////////////////
File traefik.log:
...
{"entryPointName":"web-secured","level":"debug","msg":"Creating TCP server 0 at 172.0.10.3:443","routerName":"apache_server@docker","serverName":0,"serviceName":"apache_server","time":"2020-11-06T15:
{"entryPointName":"web-secured","level":"debug","msg":"Adding route https://172.23.17.226:443 on TCP","routerName":"apache_server@docker","time":"2020-11-06T15:10:52Z"}
...
api/rawdata:
{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(/api
)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(/
)","priority":2147483645,"status":"enabled","using":["traefik"]},"grafana@docker":{"entryPoints":["web"],"service":"grafana","rule":"Host(traefik.grafana.com
)","status":"enabled","using":["web"]},"kibana@docker":{"entryPoints":["web"],"service":"kibana","rule":"Host(traefik.kibana.com
)","status":"enabled","using":["web"]},"portainer@docker":{"entryPoints":["portainer"],"service":"portainer","rule":"Host(traefik.portainer.com
)","status":"enabled","using":["portainer"]},"prometheus@docker":{"entryPoints":["web"],"service":"prometheus","rule":"Host(traefik.prometheus.com
)","status":"enabled","using":["web"]},"prometheus@internal":{"entryPoints":["traefik"],"service":"prometheus@internal","rule":"PathPrefix(/metrics
)","priority":2147483647,"status":"enabled","using":["traefik"]},"traefik-traefik@docker":{"entryPoints":["kibana","portainer","web","web-secured"],"service":"dummy-svc","rule":"Host(traefik-traefik
)","status":"enabled","using":["kibana","portainer","web","web-secured"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"dummy-svc@docker":{"loadBalancer":{"servers":[{"url":"http://10.0.0.27:9999"},{"url":"http://10.0.0.28:9999"},{"url":"http://10.0.0.29:9999"}],"passHostHeader":true},"status":"enabled","usedBy":["traefik-traefik@docker"],"serverStatus":{"http://10.0.0.27:9999":"UP","http://10.0.0.28:9999":"UP","http://10.0.0.29:9999":"UP"}},"grafana@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.6:3000"}],"passHostHeader":true},"status":"enabled","usedBy":["grafana@docker"],"serverStatus":{"http://172.0.10.6:3000":"UP"}},"kibana@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.44:5601"}],"passHostHeader":true},"status":"enabled","usedBy":["kibana@docker"],"serverStatus":{"http://172.0.10.44:5601":"UP"}},"noop@internal":{"status":"enabled"},"portainer@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.30:9000"}],"passHostHeader":true},"status":"enabled","usedBy":["portainer@docker"],"serverStatus":{"http://172.0.10.30:9000":"UP"}},"prometheus@docker":{"loadBalancer":{"servers":[{"url":"http://172.0.10.48:9090"}],"passHostHeader":true},"status":"enabled","usedBy":["prometheus@docker"],"serverStatus":{"http://172.0.10.48:9090":"UP"}},"prometheus@internal":{"status":"enabled","usedBy":["prometheus@internal"]}},"tcpRouters":{"apache_server@docker":{"entryPoints":["web-secured"],"service":"apache_server","rule":"HostSNI(https://172.23.17.226:443
)","tls":{"passthrough":true},"status":"enabled","using":["web-secured"]}},"tcpServices":{"apache_server@docker":{"loadBalancer":{"terminationDelay":100,"servers":[{"address":"172.0.10.3:443"}]},"status":"enabled","usedBy":["apache_server@docker"]}}}
curl command client Side (172.23.17.226):
[root@my docker-traefik-prometheus]# curl -k -v https://172.23.17.226:443
- About to connect() to 172.23.17.226 port 443 (#0)
- Trying 172.23.17.226...
- Connected to 172.23.17.226 (172.23.17.226) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- skipping SSL peer certificate verification
- SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate:
-
subject: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
-
start date: Apr 20 10:35:39 2020 GMT
-
expire date: Apr 20 10:35:39 2021 GMT
-
common name: b89efdb12d33
-
issuer: E=root@b89efdb12d33,CN=b89efdb12d33,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.23.17.226
Accept: /
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 06 Nov 2020 15:06:55 GMT
< Content-Length: 19
<
404 page not found
- Connection #0 to host 172.23.17.226 left intact
tcpdump Apache server Side:
Thank you,
Luca