Tls options for sniStrict=false in tcp router

anle · February 26, 2020, 9:26am

Hi, we have the following service:

  mqtt:
    image: eclipse-mosquitto:1.6.7
    container_name: mqtt
    restart: unless-stopped
    volumes:
      - /opt/mosquitto/config:/mosquitto/config
      - /opt/mosquitto/log:/mosquitto/log
      - /opt/mosquitto/data:/mosquitto/data
    ports:
      - "8883:8883"
    logging:
      options:
        max-size: 100m
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.mqtt.entrypoints=mqtt"
      - "traefik.tcp.routers.mqtt.tls=true"
      - "traefik.tcp.routers.mqtt.rule=HostSNI(`mqtt.ourdomain.tld`)"
      - "traefik.tcp.routers.mqtt.tls.certResolver=le"
      - "treafik.tcp.routers.mqtt.service=mqtt-svc"
      - "treafik.tcp.routers.mqtt.tls.domains.main=mqtt.cold.its.be.continental.cloud"
      - "traefik.tcp.services.mqtt-svc.loadbalancer.server.port=1883"
      - "treafik.tcp.routers.mqtt.tls.options=mqtt"
      - "traefik.tls.options.mqtt.sniStrict=false"

When not using tls, everything is fine. When using tls, only newer mqtt-clients/libraries can connect, that support the HostSNI feature.

Unfortunatelly, we have to be compatible to older clients, that do not support the tls extension.

The result should be, that traefik does the tls termination and forwards all traefik, that comes in trough the mqtt-entrypoint to the mqtt-service, whilst using the letsencrypt certificate defined in HostSNI...

Our approach now was to disable the sniStrict checking, but it seems the tls.options reference above does nothing

Anyone an idea how to achieve this?

cakiwi · February 26, 2020, 1:01pm

I'm pretty sure the TLS options can only be set in the dynamic file provider or Kubernetes.

I only got it working with a file provider.

FrancYescO · December 15, 2021, 12:41pm

@anle did you find a solution?

PS. also setting sniStrict: false in the provider files seems to not help

adyanth · January 18, 2022, 11:46am

sniStrict is false by default.

I have a similar issue where I wanted the DNS over TLS clients who do not support SNI to use the ACME cert rather than the default certificate.

Right now, with sniStrict=true, the connection attempt is rejected (correctly so).
strict SNI enabled - No certificate found for domain: \"\", closing connection"
But with sniStrict=false, the connection is allowed, but the default certificate is served due to lack of acme cert that matches the SNI which is "" (empty).

There should be a way to tell Traefik to always serve the ACME cert even if the SNI fails, similar to sniStrict=false but not to search for certs that match the empty SNI.

Edit: Found the bug for the same: Allow assuming default host if no SNI indication is given (for Let's Encrypt) · Issue #8123 · traefik/traefik (github.com)

Topic		Replies	Views
Providing 2 endpoints for MQTT broker Traefik v2 (latest) docker , tcp	2	4186	January 9, 2022
Multiple MQTT services with TCP router and no TLS Traefik v2 (latest) docker	4	154	February 12, 2024
Traefik reverse proxy for mosquitto with cert auth Traefik v2 (latest) docker , consul-catalog	1	1626	September 23, 2022
TCP TLS server with non-TLS TCP router Traefik v2 (latest) file , tcp	6	3496	June 9, 2023
Creating a TCP Router for Docker Swarm Traefik v2 (latest) docker-swarm , tcp	1	1235	June 20, 2023

Tls options for sniStrict=false in tcp router

Related Topics